AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


SECURING FEDERAL FACILITIES: AN EXAMINATION 
OF EPS PROGRESS IN IMPROVING OVERSIGHT 
AND ASSESSING RISK 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON CYBERSECURITY, 
INFRASTRUCTURE PROTECTION, 
AND SECURITY TECHNOLOGIES 

OF THE 

COMMITTEE ON HOMELAND SECURITY 
HOUSE OF REPRESENTATDH]S 

ONE HUNDRED TWELFTH CONGRESS 

SECOND SESSION 

JULY 24, 2012 

Serial No. 112-108 


Printed for the use of the Committee on Homeland Security 



Available via the World Wide Web: http://www.gpo.gov/fdsys/ 


U.S. GOVERNMENT PRINTING OFFICE 
80-850 PDF WASHINGTON : 2013 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON HOMELAND SECURITY 

Peter T. King, New York, Chairman 


Lamar Smith, Texas 
Daniel E. Lungren, California 
Mike Rogers, Alabama 
Michael T. McCaul, Texas 
Gus M. Bilirakis, Florida 
Paul C. Broun, Georgia 
Candice S. Miller, Michigan 
Tim Walberg, Michigan 
Chip Cravaack, Minnesota 
Joe Walsh, Illinois 
Patrick Meehan, Pennsylvania 
Ben Quayle, Arizona 
Scott Rigell, Virginia 
Billy Long, Missouri 
Jeff Duncan, South Carolina 
Tom Marino, Pennsylvania 
Blake Farenthold, Texas 
Robert L. Turner, New York 


Bennie G. Thompson, Mississippi 
Loretta Sanchez, California 
Sheila Jackson Lee, Texas 
Henry Cuellar, Texas 
Yvette D. Clarke, New York 
Laura Richardson, California 
Danny K. Davis, Illinois 
Brian Higgins, New York 
Cedric L. Richmond, Louisiana 
Hansen Clarke, Michigan 
William R. Keating, Massachusetts 
Kathleen C. Hochul, New York 
Janice Hahn, California 
Ron Barber, Arizona 


Michael J. Russell, Staff Director ! Chief Counsel 
Kerry Ann Watkins, Senior Policy Director 
Michael S. Twinchek, Chief Clerk 
1. Lanier Avant, Minority Staff Director 


SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, 
AND SECURITY TECHNOLOGIES 


Daniel E. Lungren, California, Chairman 


Michael T. McCaul, Texas 

Tim Walberg, Michigan, Vice Chair 

Patrick Meehan, Pennsylvania 

Billy Long, Missouri 

Tom Marino, Pennsylvania 

Peter T. King, New York (Ex Officio) 


Yvette D. Clarke, New York 

Laura Richardson, California 

Cedric L. Richmond, Louisiana 

William R. Keating, Massachusetts 

Bennie G. Thompson, Mississippi (Ex Officio) 


Coley C. O’Brien, Staff Director 
Zachary D. Harris, Subcommittee Clerk 
Chris Schepis, Minority Senior Professional Staff Member 


(H) 



CONTENTS 


Page 

Statements 

The Honorable Daniel E. Lungren, a Representative in Congress From the 
State of California, and Chairman, Subcommittee on Cybersecurity, Infra- 
structure Protection, and Security Technologies: 

Oral Statement 1 

Prepared Statement 3 

The Honorable Yvette D. Clarke, a Representative in Congress From the 
State of New York, and Ranking Member, Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies: 

Oral Statement 4 

Prepared Statement 5 

Witnesses 

General L. Eric Patterson, Director, Federal Protective Service, Department 
of Homeland Security: 

Oral Statement 7 

Prepared Statement 8 

Mr. Mark L. Goldstein, Director, Physical Infrastructure Issues, Government 
Accountability Office: 

Oral Statement 11 

Prepared Statement 12 

Dr. James P. Peerenboom, Director, Infrastructure Assurance Center, Asso- 
ciate Director, Decision and Information Sciences Division, Argonne Na- 
tional Laboratory: 

Oral Statement 18 

Prepared Statement 19 

Appendix 

Questions From Chairman Daniel E. Lungren for L. Eric Patterson 33 

Questions From Ranking Member Yvette D. Clarke for L. Eric Patterson 33 

Questions From Ranking Member Yvette D. Clarke for Mark L. Goldstein 34 

Questions From Ranking Member Yvette D. Clarke for James P. 
Peerenboom 35 


(III) 




SECURING FEDERAL FACILITIES: AN EXAM- 
INATION OF FPS PROGRESS IN IMPROVING 
OVERSIGHT AND ASSESSING RISK 


Tuesday, July 24, 2012 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Washington, DC. 

The subcommittee met, pursuant to call, at 10:09 a.m., in Room 
311, Cannon House Office Building, Hon. Daniel E. Lungren 
[Chairman of the subcommittee] presiding. 

Present: Representatives Lungren, Walberg, Clarke, Richmond, 
and Keating. 

Mr. Lungren. The Committee on Homeland Security, Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will come to order. The subcommittee is meeting 
today to examine the Federal Protective Service and the possible 
need for reform. 

Ms. Clarke will be here shortly, and so I am just going to give 
my opening statement and when she arrives she will be able to 
give her opening statement. 

Thank you very much for being here, all three of our witnesses. 
This is an important hearing. 

The Federal Protective Service is a vital part of the Department 
of Homeland Security. It is the largest operational component with- 
in the National Protection and Programs Directorate. 

The FPS mission is to protect over 9,000 Government buildings 
and their 1.4 million occupants, which are essential to the day-to- 
day operations of the Federal Government. Recent incidents at 
Federal facilities such as the failed improvised explosive device, as 
well as the bombing of Oklahoma City’s Murrah Federal Building 
in 1995, remind us the Federal facilities remain attractive terrorist 
targets. 

This subcommittee has conducted rigorous oversight over the 
Federal Protective Service this Congress. Last July we held a hear- 
ing which identified some of the perennial problems plaguing the 
FPS. 

In that hearing we discussed failures of contract guard oversight 
and their training program, including the egregious mishandling of 
an lED in Detroit. We also discussed the failed development of 
FPS’s risk management program, known as RAMP, which cost the 
Federal Government $35 million over 4 years. I am hopeful and 
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cautiously optimistic that these problems represent the low-water 
mark for FPS. 

Since 2008 GAO has made 32 recommendations to improve FPS 
security vulnerabilities and other operational problems, five of 
which have been implemented and 20 which are in the process of 
implementation. 

From the outset I do want to commend Director Patterson for his 
leadership. I believe the recent successes in implementing GAO 
recommendations are in part the result of improved dialogue and 
outreach with the private sector as well as the efforts of FPS’s own 
workforce. 

I think this dialogue is extremely important as FPS works to ad- 
dress the remaining GAO recommendations, especially in its two 
core areas of responsibility: First, its ability to conduct risk assess- 
ments of Federal buildings; and second, to provide necessary over- 
sight and training for its contract guard force. 

Regarding the first responsibility, FPS began operational testing 
this last spring for a new risk assessment tool, known as the modi- 
fied infrastructure survey tool, or MIST, which was developed in 
partnership with the Argonne National Laboratory. MIST is in- 
tended to be an interim tool that FPS inspectors use to conduct 
vulnerability assessments in the aftermath of the RAMP failure. 

I understand, am informed that there is a disagreement between 
FPS and GAO with regard to the limitations and benefits of MIST 
and I look forward to hearing from our witnesses regarding these 
differences. I am aware of some of the limitations identified by 
GAO that MIST does not account for consequence information and 
therefore does not provide FPS the comprehensive ability to man- 
age risk. I also understand GAO has concerns that MIST is neither 
compliant with the National infrastructure protection plan frame- 
work nor compliant with standards developed by the Interagency 
Security Committee. 

I think these are very legitimate questions raised by GAO and 
important standards FPS should meet when it develops a longer- 
term solution. Nonetheless, I do consider MIST development a step 
in the right direction for an agency that has taken a series of steps 
in the wrong direction over the last decade. 

FPS has always stated that MIST is intended to serve as an in- 
terim tool until a longer-term solution is developed. However, FPS 
has never stated what the longer-term solution will be. So I look 
forward to hearing from Director Patterson on his vision for MIST’s 
future as a risk management tool. 

I also look forward to learning about what FPS is doing to ad- 
dress GAO’s findings about unnecessary duplication of risk assess- 
ments by several FPS customers who in some instances have ex- 
pressed dissatisfaction with FPS’s assessments — for instance, the 
IRS, FEMA, and EPA. 

Providing oversight and training of the contract guard program 
is also a critical responsibility of EPS. At last summer’s hearing Di- 
rector Patterson stated that he was looking at different ways that 
EPS may be able to improve delivery of X-ray and magnetometer 
training. 

I look forward to hearing more about how these ideas have devel- 
oped since last year. I also understand there has been outreach to 
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the private sector regarding better training options and I commend 
you for those efforts. 

Finally, FPS has undergone significant transition since joining 
the Department of Homeland Security. After initially being placed 
under ICE, after the creation of DHS, FPS moved to NPPD in 
2010, and last summer NPPD notified the committee that it was 
once again considering reorganizing the directorate. Is reorganiza- 
tion being contemplated, and if so, how will this impact FPS? 

I want to thank all of our witnesses for being here this morning, 
and I look forward to your testimony on the progress made by the 
FPS in securing our Nation’s Federal facilities. 

[The statement of Chairman Lungren follows:] 

Statement of Chairman Daniel E. Lungren 
July 24, 2012 

The Federal Protective Service (FPS) is a vital part of the Department of Home- 
land Security and is the largest operational component ■within the National Protec- 
tion and Programs Directorate (NPPD). Its mission to protect some 9,000 Govern- 
ment buildings and its 1.4 million occupants is essential for the Federal Govern- 
ment to continue day-to-day operations. Recent incidents at Federal facilities such 
as the failed lED attempt in Detroit, and the bombing of Oklahoma City’s Murrah 
Federal Building in 1995, remind us that Federal facilities remain significant sym- 
bolic targets for terrorists. 

This subcommittee has conducted rigorous oversight over the Federal Protective 
Service this Congress. Last July we held a hearing which identified some of the pe- 
rennial problems plaguing the FPS. In that hearing we discussed failures of contract 
guard oversight and training, including the egregious mishandling of an attempted 
Improvised Explosive Devise in Detroit, and the failed development of a risk man- 
agement program known as RAMP, which after 5 years of development, cost the 
Federal Government somewhere between $36-57 million with little to show for. I 
am hopeful that these incidents represent the low-water mark for FPS, and I am 
cautiously optimistic about FPS’s future. 

Last July the GAO had issued a total of 28 recommendations for FPS to address, 
yet at the time none were implemented. Today, I am encouraged to note that while 
GAO has recommended 32 recommendations, to date, 5 have been implemented and 
20 are in the process of implementation. This represents significant progress. 

From the outset, I want to commend Director Patterson for his leadership and the 
agency’s recent successes. These successes, I believe are in part the result of im- 
proved dialogue and substantial outreach with private-sector partners as well FPS’s 
own workforce. I think this dialogue is extremely important as FPS works to ad- 
dress important recommendations made by the Government Accountability Office, 
especially as it works to improve two of its core areas of responsibility: (1) Its ability 
to conduct risk assessments of Federal buildings; and (2) pro'vide necessary over- 
sight and training for its Contract Guard Program. 

Regarding this first responsibility, FPS began operational testing this last spring 
for a new risk assessment tool, known as the Modified Infrastructure Survey Tool 
or MIST, which was developed in partnership with the Argonne National Labora- 
tory. MIST is intended to be an interim tool FPS inspectors use to conduct facility 
security assessments, in the aftermath of RAMP’s failure. 

I understand there is some pretty substantial disagreement between FPS and 
GAO with regard to the limitations and benefits of MIST and I look forward to hear- 
ing from our witnesses regarding these differences. I am aware of some of the limi- 
tations identified by GAO, such as that MIST does not account for “consequence” 
information, and therefore does not provide FPS the comprehensive ability to man- 
age risk. I also understand GAO has concerns that MIST is neither compliant with 
the National Infrastructure Protection Plan framework nor compliant with stand- 
ards developed by the Interagency Security Committee. I think these are very legiti- 
mate questions raised by GAO, and are important standards FPS should meet when 
it develops a longer-term solution. 

Nonetheless, I consider MIST’s development a step in the right direction for an 
agency that has taken a series of steps in the wrong direction over the last decade. 
FPS has always stated that MIST is intended to serve as an interim tool until a 
longer-term solution is developed. However, FPS has never stated what the longer- 
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term solution will be. I look forward to hearing from Director Patterson on his vision 
for mist’s future as a risk management tool. I also look forward to learning about 
what FPS is doing to address GAO’s finding about unnecessary duplication of risk 
assessments by several FPS customers, who in some instances, are dissatisfied by 
assessments provided by FPS. 

Providing oversight and training of the contract guard program is also a critical 
responsibility of FPS. At last summer’s hearing Director Patterson stated that he 
was looking at different ways FPS may he ahle to improve delivery of X-ray and 
magnetometer training. I look forward to hearing more about how these ideas have 
developed since last year. I understand there has been significant outreach with the 
private sector that may he ahle to better deliver training, and I commend you for 
putting an emphasis on training in your tenure at FPS. 

Finally, FPS has undergone significant transition since joining the Department of 
Homeland Security. After initially being placed under ICE after the creation of 
DHS, FPS moved to NPPD in 2010. Last summer, NPPD notified the committee 
that it was once again considering reorganizing the agency which FPS was assigned. 
However, since last summer, the Department has been silent on its plans to reorga- 
nize NPPD, so I am very much looking forward to hearing from Director Patterson 
on his thoughts on reorganization, and if we can expect any more information on 
this soon. 

I want to thank all of our witnesses for being here this morning and look forward 
to their testimony on progress made by the FPS securing our Nation’s Federal facili- 
ties. I now recognize the gentle lady from New York, the Ranking Member of this 
subcommittee, Ms. Clarke, for her opening statement. 

Mr. Lungren. I now have the pleasure of recognizing the gentle 
lady from New York, the Ranking Member of the subcommittee, 
Ms. Clarke, for her opening statement. 

Ms. Clarke. Thank you, Mr. Chairman, and thank you for hold- 
ing this hearing today. Today’s hearing will allow the sub- 
committee to hear from witnesses about the Federal Protective 
Service’s progress in improving its ability to provide adequate pro- 
tection to the Federal Government’s more than 9,000 facilities. 

Given the numerous studies that FPS has undertaken by the 
Government Accountability Office and the multiple hearings held 
by this committee, the subcommittee is interested in learning about 
the actions FPS has taken to upgrade its ability to conduct facility 
security assessments, better manage its contract guard staff, and 
to enhance funding for its operations. We need a more clear expla- 
nation of the implementation and utility of the modern infrastruc- 
ture survey tool, or MIST, and how it compares, hopefully sur- 
passes, the failed risk assessment and management program, or 
RAMP. 

The subcommittee must be assured that after investing approxi- 
mately $35 million RAMP without yielding any demonstrable out- 
comes FPS is indeed expending its resources effectively and scaling 
up MIST. We need assurances that MIST is working as an interim 
solution, and we need to know what FPS’s long-term strategy to re- 
place RAMP. Also, as the designated leader of the Federal Govern- 
ment facilities sector FPS has an important role to play in assuring 
that the Federal critical infrastructure both secure — that the — ex- 
cuse me — the Federal critical infrastructure is both secure and re- 
silient in the event of a catastrophic occurrence. 

In August GAO will issue a report at Ranking Member Thomp- 
son’s request that evaluates the Department’s activities regarding 
the Government facilities sector with a particular emphasis on 
FPS’s role as the designated sector leader. I look forward to the re- 
lease of that report and hope that we are able to revisit this subject 
at that time. 
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Finally, Mr. Chairman, I am concerned that FPS is forced to bear 
the cost of developing and implementing a program capable of com- 
pleting security assessments of Federal buildings. It seems to me 
that as the landlord for most Federal buildings, the General Serv- 
ices Administration benefits from these security assessments. I 
look forward to hearing from our witnesses today about the role of 
GSA in sharing the cost of the assessment program. 

Having said that, thank you, Mr. Chairman, and I yield back. 

[The statement of Ranking Member Clarke follows:] 

Statement of Ranking Member Yvette D. Clarke 
July 26, 2012 

Mr. Chairman, thank you for holding this hearing to discuss developments in the 
Domestic Nuclear Detection Office Strategy, and the Global Nuclear Detection Ar- 
chitecture. 

It has been said before, the enormous devastation that would result if terrorists 
use a nuclear weapon or nuclear materials successfully, requires us to do all we can 
to prevent them from entering or moving through the United States. 

This subcommittee, in its oversight capacity, has held hearings starting in 2005, 
and continuing through 2012, regarding the development and implementation of the 
GNDA and in the decision-making process that involves costly investments in it. 

The overarching issues include the balance between investment in near-term and 
long-term solutions for architecture gaps, the degree and efficiency of Federal agen- 
cy coordination, the mechanism for setting agency investment priorities in the archi- 
tecture, and the efforts DNDO has undertaken to retain institutional knowledge re- 
garding this sustained effort. 

In the policy and strategy documents of the GNDA, DNDO is responsible for de- 
veloping the global strategy for nuclear detection, and each Federal agency that has 
a role in combating nuclear smuggling is responsible for implementing its own pro- 
grams. DNDO identified 73 Federal programs, which are primarily funded by DOD, 
DOE, and DRS that engage in radiological and nuclear detection activities. 

With the publication of an overall DNDO strategy document and the release of 
the Global Nuclear Detection Architecture and implementation plan. Congress will 
have a better idea of how to judge the DNDO’s policy, strategy operations, tactics, 
and implementation. 

But we need to know more about their R&D activities, their resource requests, 
and their asset allocations. And I know that I might sound like a broken record be- 
fore the day is through, but from the very start of the ASP program which was offi- 
cially cancelled just 10 days ago, July 16, DNDO seemed to push for acquisition de- 
cisions well before the technology had demonstrated that it could live up to its 
promise. 

On July 14, 2006, Secretary of Homeland Security Michael Chertoff and the then- 
Director of DNDO, Mr. Oxford, one of our witnesses today, announced contract 
awards to three companies worth an estimated $1.2 billion to develop ASPs, includ- 
ing the Raytheon Company from Massachusetts, the Thermo Electron Company 
from Santa Fe, New Mexico, and Canberra Industries from Connecticut. Both Sec- 
retary Chertoff and Oxford held a press conference to announce the billion-dollar 
contract awards just a few months after highly critical reviews of the ASPs’ abilities 
by the GAO and the National Institute of Standards and Technology (NIST). 

I hope we don’t see that kind of decision making again in DNDO. 

Within DNDO, policy and strategy have historically not been adequately trans- 
lated into operations, tactics, and implementation. Overlapping missions, especially 
in the field of nuclear detection, worsen this. 

Since 2009, DNDO has made important changes under Secretary Napolitano, and 
made especially good progress in nuclear forensics. And I hope that our Congres- 
sional oversight has had an effect, a positive one, in bringing to light decisions that 
cost the taxpayers a lot of money, with little to show. 

In 2010, the Science and Technology (S&T) Directorate requested $109,000 million 
for the Transformational Research and Development Radiological and Nuclear Divi- 
sion. This research was to be transferred from DNDO to the S&T Directorate, ^ and 
the Democratic committee Members supported the transition of radiological and nu- 
clear research away from DNDO into S&T. The committee, under then-Chairman 


IDHS Fiscal Year 2011 Budget in Brief, ICE 10-2647.000474. p. 139. 
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Thompson, worked to make this transition happen, and we believe that research 
and development, and operations and procurement, are best left to separate organi- 
zations in order to avoid the obvious conflict of interest. 

What I hope we are going to hear today is how DNDO’s mission can be better- 
defined. Some claim there is still confusion as to whether it is an end-to-end RDT&E 
and procurement entity for all things nuclear/radiological, a development entity, or 
an operational entity, and question whether there is an inherent conflict of interest 
when an agency is both an R&D workshop and a procurement platform. 

Let me finish with this thought, completely out of the policy arena. On the 
ground, and every day, our nuclear deterrence effort requires motivated and vigilant 
officers supplied with the best equipment and intelligence we can give them. Cus- 
toms and Border Patrol officers working at our Nation’s ports of entry have an ex- 
tremely complex and difficult job. 

Thousands of decisions are made every day to clear a container or personal vehi- 
cle for transit into the United States, require further inspection, or even deny entry 
or interdict such a vehicle or person, and that is the hard, cold, every-day reality 
of our mission to prevent this kind of violent nuclear attack. 

We must do our best. 

I look forward to hearing from our witnesses today and with that, Mr. Chairman, 
I 3deld back. 

Mr. Lungren. I thank the gentlelady for her comments, and I 
think the panel can tell that we are on the same page at looking 
at what the progress has been since our last hearing. 

General L. Eric Patterson was appointed director of the Federal 
Protective Service, a subcomponent of the National Protective — 
Protection and Programs Directorate, in September 2010. He pre- 
viously served as the deputy director of the Defense Counterintel- 
ligence HUMINT Center at the Defense Intelligence Agency. 

Prior to joining DIA Mr. Patterson served as a principal with 
Booz Allen Hamilton where he supported two of the Defense Tech- 
nical Information Center analysis centers, one focused on informa- 
tion assurance and the other on the survivability and vulnerability 
of defense systems. He is a retired United States Air Force briga- 
dier general with 30 years of service. 

Mr. Mark Goldstein is the director of physical infrastructure 
issues at GAO. Mr. Goldstein is responsible for the agency’s work 
in Federal property and telecommunications. A former award-win- 
ning journalist and author, his other public service work has in- 
cluded roles as chief of staff to the D.C. Financial Control Board 
and senior investigative staff to the Senate Committee on Govern- 
mental Affairs. 

Dr. James Peerenboom is the associate director of the decision 
and information sciences division at the Argonne National Labora- 
tory, near Chicago, Illinois. In this role he is responsible for leading 
multidisciplinary teams of scientists and engineers in developing 
innovative solutions for infrastructure assurance, systems analysis, 
decision and risk analysis, and advanced modeling and simulation 
problems. 

For the past 15 years he has focused on critical infrastructure 
protection and resilience issues, providing technical support to the 
Departments of Energy and Homeland Security, the President’s 
commission on critical infrastructure protection, and White House 
Office of Science and Technology Policy. He received his Ph.D in 
energy and environmental systems from the Institute of Environ- 
mental Studies and an M.S. and B.S. in nuclear engineering from 
the University of Wisconsin at Madison. 

Gentlemen, we ask you — well, we would first indicate that your 
written testimony will be made a part of the record and would ask 
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that you summarize your testimony with any additions as you wish 
in 5 minutes, and then we will have a round of questioning. 

So the Chairman would recognize Director Patterson to begin. 

STATEMENT OF L. ERIC PATTERSON, DIRECTOR, FEDERAL 

PROTECTIVE SERVICE, DEPARTMENT OF HOMELAND SECU- 
RITY 

General Patterson. Good morning. Thank you, Chairman Lun- 
gren. Ranking Member Clarke. 

My name is Eric Patterson and I am the director of the Federal 
Protective Service within the Department of Homeland Security’s 
National Protection and Programs Directorate. I am honored to ap- 
pear before you today to discuss FPS’s progress in addressing some 
historically identified challenges. 

FPS’s mission is to protect more than 9,000 Federal buildings 
throughout the United States and its territories and the 1.4 million 
Federal employees and visitors who occupy and conduct business in 
them every day. We execute this mission by providing proactive 
law enforcement, investigations, protective intelligence, incident re- 
sponse, security planning, and stakeholder engagement. 

Based upon my experience in the ever-changing threat environ- 
ment, my belief is that risk assessment is a continuous process and 
not a static event. Our law enforcement and physical security pro- 
fessionals continually provide access risk and implement mitigation 
strategies through their daily activities. 

During fiscal year 2011 FPS investigated and mitigated more 
than 1,300 threats and assaults directed towards Federal facilities 
and their occupants, made close to 2,000 arrests, responded to 
53,000 incidents, and prevented the entry of hundreds of thousands 
of prohibited items into Federal facilities. FPS also conducted 1,800 
Operation Shield exercises, 150 Covert Test operations, over 80,000 
post inspections, and also validated the training of thousands of 
protective security officers that we oversee. 

Over the past year FPS developed an important partnership with 
Argonne National Lab resulting in the completed development and 
current deployment of a new facility security assessment tool, 
called the modified infrastructure survey tool, or MIST. MIST will 
enable comprehensive and consistent FSAs that will allow Federal 
tenant agencies to make informed security and risk management 
decisions. The MIST tool is a welcome addition to FPS’s portfolio 
of on-going facility assessment efforts and strategies. 

As GAO has indicated, FPS employed the best project manage- 
ment principles in the development of MIST. MIST requirements 
were developed leveraging the knowledge obtained from our long- 
standing relationships with the General Services Administration, 
the Facility Security Committee, and other customers. 

As we move to measure and assure the successful performance 
of MIST my plan is to build upon this foundation to improve FPS’s 
management of other significant programs — for example, our pro- 
tective security officer program. Just as technology is enhancing 
our risk assessment processes, I plan to better leverage technology 
to allow for more effective oversight of our contract PSOs. 

A key enabler of these actions will come from the good work of 
our collaboration with the Systems Engineering and Design Insti- 
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tute, SEDI, a Federally-funded research and development center. 
We have engaged the SEDI to produce a full mapping of EPS ac- 
tivities and to then align them with EPS’s current fee structure. 
That work will be used to produce an activity-based cost model for 
EPS. 

These efforts are designed to result in a more efficient revenue 
structure for EPS and greater transparency on security costs for 
EPS stakeholders. 

I am also pleased to note that some of our recent progress in- 
cludes an increased participation in the important work of the 
Interagency Security Committee to include chairing a new ISC 
working group which will look at the future of Federal workplace 
security and the newly reconstituted Training Subcommittee. 

EPS’s program — progress in the past year and our path forward 
leveraging partnerships and technology is clearly in direct support 
of our long-term vision. It will continue to take time, deliberate 
planning, and the dedication of our employees and partners to fully 
realize our vision and I look forward to keeping you apprised of our 
progress. 

Again, thank you for the opportunity to discuss EPS with you 
today, and I would be happy to answer any questions you might 
have. 

[The prepared statement of Mr. Patterson follows:] 

Prepared Statement of L. Eric Patterson 
July 24, 2012 

Thank you Chairman Lungren, Ranking Member Clarke, and the distinguished 
Members of the subcommittee. My name is Eric Patterson, and I am the Director 
of the Federal Protective Service (EPS) within the Department of Homeland Secu- 
rity’s (DHS) National Protection and Programs Directorate (NPPD). 

I am honored to appear before you today to discuss NPPD/FPS’s progress in uti- 
lizing key protection and risk management practices such as allocation of resources, 
leveraging technology, and enhancing information sharing and coordination. 

The GAO has raised several areas that have historically represented challenges 
for EPS including: 

1. Absence of a risk management program; 

2. Addressing key human capital issues through a strategic human capital plan; 

3. Contract Guard workforce management and oversight; and 

4. Need for a review of EPS’s fee design. 

Today’s hearing is an opportunity to address the progress EPS has made during 
the past year in working to address these challenges, and to also provide informa- 
tion on the topics addressed in GAO’s new report related to risk assessment and 
Protective Security Officer (PSO) program management and oversight. 

EPS BACKGROUND 

EPS’s mission is to protect more than 9,000 Eederal buildings and the 1.4 million 
Federal employees and visitors who occupy them throughout the country every day 
by leveraging the intelligence and information resources of its network of public and 
private-sector partners. Specifically, EPS executes its mission by providing proactive 
law enforcement, investigation and protective intelligence and information sharing 
services, incident response, security planning, and stakeholder engagement. Prior to 
its transfer to NPPD in 2009, FPS was organized under Immigration and Customs 
Enforcement and prior to that, under the General Services Administration (GSA). 

Part of our core mission is to assess the threat picture for the Government Facili- 
ties Sector (GFS) and share that information with stakeholders as appropriate. For 
example, FPS leverages the Homeland Security Information Network (HSIN), a se- 
cure, trusted web-based portal to share information with our more than 900 Govern- 
ment and industry partners. One of the recent information-sharing initiatives FPS 
has implemented to assist in the protection of facilities and their occupants is the 
Federal Facility Threat Picture (FFTP), which is an unclassified assessment of the 
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current known threats to the facilities FPS protects. Produced quarterly, the FFTP 
supports the threat component of a Federal Security Assessments (FSA) and in- 
forms our stakeholders of potential threats to Government facilities. The FFTP fo- 
cuses on the threats posed by a variety of actors that may seek to attack or exploit 
elements of the GFS. The information used in the FFTP comes from intelligence and 
law enforcement community reporting. 

During fiscal year 2011, FPS: 

• Investigated and mitigated more than 1,300 threats and assaults directed to- 
wards Federal facilities and their occupants; 

• Disseminated 331 threat- and intelligence-based products to our stakeholders, 
142 of which were FPS-produced; 

• Conducted 81,125 post inspections; 

• Interdicted more than 680,000 weapons/prohibited items including knives, brass 
knuckles, pepper spray, and other items that could be used as weapons or are 
contraband such as illegal drugs, at Federal facility entrances during routine 
checks; 

• Made 1,975 arrests; 

• Responded to 53,000 incidents involving people or property; and 

• Conducted more than 1,800 high-visibility operations under Operation Shield 
and 150 risk-based Covert Test operations, ensuring the protection of Federal 
buildings and infrastructure. 

FPS IS DEVELOPING A RISK MANAGEMENT PROGRAM 

In terms of a risk management program, FPS’s operational activities are orga- 
nized by the National Infrastructure Protection Plan’s (NIPP) Risk Management 
Framework, which calls for the following steps: Set Security Goals, Identify Assets 
and Functions, Assess Risks, Prioritize, Implement Protective Programs, and Meas- 
ure Effectiveness. One area of recent significant progress related to risk assessment 
and the implementation of a risk management program is the on-going implementa- 
tion of FPS’s solution for conducting FSAs using an automated assessment tool. In 
May 2011, the decision was made to cease development of the legacy application 
known as the Risk Assessment and Management Program (RAMP) and to pursue 
a stand-alone assessment tool, in order to provide completed FSAs to customers. 
That decision has since been affirmed by the Department’s Office of Inspector Gen- 
eral (OIG). 

In the interim period, our employees have continued their daily interactions with 
tenant agencies and oversight of facility security. Our personnel have been com- 
pleting Pre-Modified Infrastructure Survey Tool (MIST) worksheets to enable com- 
plete FSA reports, and are constantly assessing risks to Federal facilities. Specifi- 
cally, the pre-MIST worksheet allows the inspector to collect key information that 
will be populated into MIST and used in generating a final FSA report. Such data 
includes facility information, vulnerability assessments, and existing protective 
measures. 

After consideration of several alternatives, FPS partnered with NPPD’s Office of 
Infrastructure Protection (IP) to leverage a proven assessment methodology called 
the Infrastructure Survey Tool (1ST). In October 2011, NPPD issued a task order 
to Argonne National Laboratory (ANL) through the Department of Energy to modify 
the existing Link Encrypted Network System (LENS) and 1ST for FPS use to con- 
duct FSAs. Because this project leveraged existing tools and had limited resources 
and time constraints, the acquisition life cycle was tailored to meet delivery dead- 
lines. 

I am pleased to note that in its draft report, GAO noted FPS’s use of project man- 
agement principles in the development of MIST. Throughout the project, the MIST 
Users Working Group has remained engaged to ensure user involvement in the 
process. User feedback from field testing was uniformly positive about MIST and the 
FPS Gateway, confirming suitability to support the FPS mission. The MIST and 
FPS Gateway development efforts were completed on schedule, with ANL delivering 
the system to the Government on March 30, 2012. In April 2012, and the decision 
was made to proceed and deploy MIST. It is important to note that throughout the 
development and testing of MIST, field employees and our union were involved and 
actively participated as subject matter experts in the process. 

FPS developed and is currently implementing a distance learning-based training 
program for each MIST user, as GAO commended in its draft report. Supervisors 
completed this training in April 2012 and Inspectors began their virtual training in 
May 2012, with completion of all training anticipated for late September 2012. This 
provides a hands-on learning environment for our Inspectors; they will receive vir- 
tual instruction as they use the tool in the learning environment. Once an Inspector 
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completes the training and successfully briefs his or her supervisor on a completed 
FSA, that Inspector will be able to proceed with conducting FSAs and reporting the 
results to a Facility Security Committee. 

In leveraging existing technology in developing MIST, FPS was able to incor- 
porate the ability to illustrate the impact of alternative countermeasures on a par- 
ticular vulnerability. MIST will also show how a facility is or is not meeting the 
baseline level of protection for its Facility Security Level as set forth in the ISC’s 
Physical Security Criteria for Federal Facilities standard and the ISC’s Design Basis 
Threat report. This will lead to a more informed and better dialogue with tenants 
and Facility Security committees as FSA results are discussed and alternatives are 
explored. Additionally, FPS recently disseminated guidance Nation-wide on the com- 
mencement of the use of MIST to generate FSAs upon completion of inspector train- 
ing. The anticipated results of the use of MIST are consistent assessment results 
Nation-wide and informed decision-making regarding security investments on the 
part of tenant agencies. 

FPS IS ADDRESSING KEY HUMAN CAPITAL ISSUES THROUGH DEVELOPMENT OF A 
STRATEGIC HUMAN CAPITAL PLAN 

In order to ensure that human resource requirements are aligned appropriately 
with FPS’s overall mission, a Strategic Human Capital Plan is being developed in 
conjunction with NPPD’s Human Capital Office. We are working to finalize the doc- 
ument; we intend to provide the plan and brief the committee when it is finalized. 

FPS IS WORKING TO IMPROVE ITS PROTECTIVE SECURITY OFFICER MANAGEMENT AND 

OVERSIGHT 

FPS is working to improve management and oversight of our over 13,000 Protec- 
tive Security Officer (PSO) force. We have reviewed our operations Nation-wide and 
have taken steps at the National program level to ensure that performances under 
contracts are advantageous to the Government. We are actively working to imple- 
ment the recommendations resulting from GAO and OIG reviews across the organi- 
zation. Additionally, an Integrated Project Team (IPT) conducted a comprehensive 
review of how FPS resources the PSO oversight function and our current oversight 
policy. 

FPS is also working with DHS’s Science and Technology Directorate to develop 
a system for contract guard oversight and explore means of leveraging technology 
to ensure effective oversight of PSOs, such as automated tracking of guard post staff 
levels and PSO possession of the necessary credentials to stand post. Additionally, 
our training team is working closely with industry and Federal partners in devel- 
oping a more effective training strategy for our PSOs. 

FPS IS EXAMINING ITS FEE STRUCTURE IN ORDER TO REVIEW CURRENT FEE DESIGN 

FPS operates through fee-based funding revenue, which is calculated based on the 
Federal facility tenant’s square footage of occupancy and on the collection of services 
associated with the provisioning of reimbursable protective countermeasures. This 
fee-based financial structure is unique among Federal law-enforcement agencies and 
requires a greater degree of understanding internal operations to ensure it is prop- 
erly aligned with FPS’s costs. 

To address this challenge, FPS is implementing a two-pronged strategy to better 
understand its activities and costs and recommend options for a new revenue struc- 
ture. In January 2012, FPS collaborated with the Department’s Systems Engineer- 
ing and Design Institute (SEDI), a Federally Funded Research and Development 
Center managed by the DHS Science and Technology Directorate, to produce a full 
mapping of FPS activities and then align them with costs. That work will be used 
to produce Activity-Based Cost (ABC) models for FPS. Both of these efforts are de- 
signed to result in a more efficient revenue structure for FPS and greater trans- 
parency in security costs for FPS stakeholders. 

CONCLUSION 

Thank you again for the opportunity to provide you with an update on the 
progress FPS is making on a number of fronts. FPS aspires to be an exemplary law 
enforcement and strategic critical infrastructure protection organization. This is a 
vision uniformly shared by FPS leadership and operational staff, both at head- 
quarters and in the field. I would be happy to answer any questions you might have. 

Mr. Lungren. Thank you very much, Director Patterson. You 
stayed within the time wonderfully. A new record here. 
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Now, Mr. Goldstein, please. 

STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL 

INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY 

OFFICE 

Mr. Goldstein. Thank you, Mr. Chairman and Ranking Member 
Clarke. We are pleased to be here this morning to testify on the 
Federal Protective Service and its efforts to improve its security of 
Federal property, employees, and citizens who use these facilities. 

FPS provides security and law enforcement services to over 9,000 
Federal facilities managed by GSA. GAO has reported that FPS 
faces challenges providing security services, particularly completing 
FSAs and managing its contract guard program. 

To address these challenges FPS spent about $35 million in 4 
years developing RAMP, essentially a risk assessment and guard 
oversight tool. However, RAMP ultimately could not be used to do 
either because of system problems. 

My testimony today is based on preliminary work for you, Mr. 
Chairman, and discusses the extent to which FPS is completing 
risk assessments, developing a tool to complete FSAs, and man- 
aging its contract guard workforce. 

Our preliminary results indicate that: No. 1, the Department of 
Homeland Security’s DHS Federal Protective Service is not assess- 
ing risks at Federal facilities in a manner that is consistent with 
standards such as the National infrastructure protection plan’s risk 
management framework as FPS originally planned. Instead of con- 
ducting risk assessments, since September 2011 FPS’s inspectors 
have collected information such as location, purpose, agency con- 
tacts, and current countermeasures. 

This information notwithstanding, FPS has a backlog of Federal 
facilities that have not been assessed for several years. According 
to FPS’s own data, more than 5,000 facilities were to be assessed 
in fiscal years 2010 through 2012. 

However, GAO was not able to determine the extent of FPS’s fa- 
cility security assessment backlog because the data was unreliable. 
Multiple agencies have expended resources to conduct risk assess- 
ments themselves even though they also already pay FPS for this 
service. 

Second, FPS has an interim vulnerability assessment tool, re- 
ferred to as MIST, which it plans to use to assess Federal facilities 
until it develops a longer-term solution. In developing MIST, FPS 
generally followed project management best practices that GAO 
had developed, such as conducting user acceptance testing. 

However, our preliminary analysis indicates that MIST has some 
limitations. Most notably, MIST does not estimate the con- 
sequences of an undesirable event occurring at a facility. 

Several of the risk assessment experts GAO spoke with agreed 
that a tool that does not estimate consequences does not allow for 
an agency to fully assess risk. FPS officials stated that they did not 
include consequence information in MIST because it was not part 
of the original design and thus requires more time to validate. 

MIST also was not designed to compare risk across Federal facili- 
ties. Thus, FPS has a limited assurance if critical risks at Federal 
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facilities are being prioritized and mitigated. We have made rec- 
ommendations in this area in the past. 

Third, GAO’s preliminary work indicates that FPS continues to 
face challenges in overseeing its contract guard program. FPS de- 
veloped the risk assessment and management program, RAMP, to 
help it oversee its contract guard workforce by verifying that 
guards are trained and certified and for conducting guard post in- 
spections. 

However, FPS faced challenges using RAMP for guard oversight, 
such as verifying guard training and certification information, and 
has recently determined that it would no longer use RAMP. With- 
out a comprehensive system it is more difficult for FPS to oversee 
its contract guard workforce. 

FPS is verifying guard certification and training information by 
conducting monthly audits of guard training and certification infor- 
mation. However, FPS does not independently verify the contrac- 
tors’ information. 

Additionally, FPS recently decided to deploy a new interim meth- 
od to record post inspections that replaced RAMP. We have not re- 
viewed this system. 

This concludes my opening remarks, Mr. Chairman. I would be 
pleased to address any questions you or Members of the sub- 
committee have. Thank you. 

[The prepared statement of Mr. Goldstein follows:] 

Prepared Statement of Mark L. Goldstein 
July 24, 2012 

GAO HIGHLIGHTS 

Highlights of GAO-12-943T, testimony before the Subcommittee on Cybersecu- 
rity, Infrastructure Protection, and Security Technologies of the House Committee 
on Homeland Security. 

W/iy GAO Did This Study 

FPS provides security and law enforcement services to over 9,000 Federal facili- 
ties managed by the General Services Administration (GSA). GAO has reported that 
FPS faces challenges providing security services, particularly completing FSAs and 
managing its contract guard program. To address these challenges, FPS spent about 
$35 million and 4 years developing RAMP — essentially a risk assessment and guard 
oversight tool. However, RAMP ultimately could not be used to do either because 
of system problems. 

This testimony is based on preliminary work for the Chairman and discusses the 
extent to which FPS is: (1) Completing risk assessments, (2) developing a tool to 
complete FSAs, and (3) managing its contract guard workforce. GAO reviewed FPS 
documents, conducted site visits at 3 of FPS’s 11 regions and interviewed officials 
from FPS, Argonne National Laboratory, GSA, Department of Veterans Affairs, the 
Federal Highway Administration, Immigration and Customs Enforcement, and 
guard companies; as well as 4 risk management experts. 

What GAO Recommends 

GAO is not making any recommendations in this testimony. GAO plans to finalize 
its analysis and report to the Chairman in August 2012, including recommenda- 
tions. GAO discussed the information in this statement with FPS and incorporated 
technical comments as appropriate. 

FEDERAL PROTECTIVE SERVICE. — PRELIMINARY RESULTS ON EFFORTS TO ASSESS 
FACILITY RISKS AND OVERSEE CONTRACT GUARDS 


What GAO Found 

GAO’s preliminary results indicate that the Department of Homeland Security’s 
(DHS) Federal Protective Service (FPS) is not assessing risks at Federal facilities 
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in a manner consistent with standards such as the National Infrastructure Protec- 
tion Plan’s (NIPP) risk management framework, as FPS originally planned. Instead 
of conducting risk assessments, since September 2011, FPS’s inspectors have col- 
lected information, such as the location, purpose, agency contacts, and current coun- 
termeasures (e.g., perimeter security, access controls, and closed-circuit television 
systems). This information notwithstanding, FPS has a backlog of Federal facilities 
that have not been assessed for several years. According to FPS’s data, more than 
5,000 facilities were to be assessed in fiscal years 2010 through 2012. However, 
GAO was not able to determine the extent of FPS’s facility security assessment 
(FSA) backlog because the data were unreliable. Multiple agencies have expended 
resources to conduct risk assessments, even though they also already pay FPS for 
this service. 

FPS has an interim vulnerability assessment tool, referred to as the Modified In- 
frastructure Survey Tool (MIST), which it plans to use to assess Federal facilities 
until it develops a longer-term solution. In developing MIST, FPS generally followed 
GAO’s project management best practices, such as conducting user acceptance test- 
ing. However, our preliminary analysis indicates that MIST has some limitations. 
Most notably, MIST does not estimate the consequences of an undesirable event oc- 
curring at a facility. Three of the four risk assessment experts GAO spoke with gen- 
erally agreed that a tool that does not estimate consequences does not allow an 
agency to fully assess risks. FPS officials stated that they did not include con- 
sequence information in MIST because it was not part of the original design and 
thus requires more time to validate. MIST also was not designed to compare risks 
across Federal facilities. Thus, FPS has limited assurance that critical risks at Fed- 
eral facilities are being prioritized and mitigated. 

GAO’s preliminary work indicates that FPS continues to face challenges in over- 
seeing its approximately 12,500 contract guards. FPS developed the Risk Assess- 
ment and Management Program (RAMP) to help it oversee its contract guard work- 
force by verif 3 ring that guards are trained and certified and for conducting guard 
post inspections. However, FPS faced challenges using RAMP for guard oversight, 
such as verifying guard training and certification information, and has recently de- 
termined that it would no longer use RAMP. Without a comprehensive system, it 
is more difficult for FPS to oversee its contract guard workforce. FPS is verifying 
guard certification and training information by conducting monthly audits of guard 
information maintained by guard contractors. However, FPS does not independently 
verify the contractor’s information. Additionally, according to FPS officials, FPS re- 
cently decided to deploy a new interim method to record post inspections that re- 
places RAMP. 

Chairman Lungren, Ranking Member Clarke, and Members of the subcommittee: 
We are pleased to be here today to discuss the Department of Homeland Security’s 
(DHS) Federal Protective Service’s (FPS) efforts to complete risk assessments of the 
over 9,000 Federal facilities under the custody and control of the General Services 
Administration (GSA) and oversee its contract guards in the absence of its Risk As- 
sessment and Management Program (RAMP), a web-enabled facility security assess- 
ment (FSA) and guard management system. As we reported in July 2011, FPS had 
spent about $35 million and taken almost 4 years to develop RAMP — $14 million 
and 2 years more than planned — but still could not use RAMP to complete FSAs 
because of several factors, including that FPS did not verify the accuracy of the Fed- 
eral facility data used.^ As a result, FPS’s Director decided to stop using RAMP to 
conduct FSAs and instead pursue an interim tool to replace it. FPS also experienced 
difficulty using RAMP to ensure that its guards met training and certification re- 
quirements, primarily because of challenges in verifying guards’ data.^ In June 
2012, FPS also decided to stop using RAMP to help oversee its contract guard pro- 
gram. 

For fiscal year 2012, FPS has a budget of $1.3 billion, with over 1,200 full-time 
employees and about 12,500 contract security guards, to achieve its mission to pro- 
tect Federal facilities. As part of the FSA process, FPS generally attempts to gather 
and review facility information; conduct and record interviews with tenant agencies; 
assess threats, vulnerabilities, and consequences to facilities, employees, and the 
public; and recommend countermeasures to Federal tenant agencies. FPS’s contract 
guards are responsible for controlling access to Federal facilities, screening access 
areas to prevent the introduction of weapons and explosives, enforcing property 
rules and regulations, detecting and reporting criminal acts, and responding to 


1 GAO, Federal Protective Service: Actions Needed to Resolve Delays and Inadequate Oversight 
Issues with FPS’s Risk Assessment and Management Program, GAO— 11— 705R (Washington, DC: 
July 15, 2011). 

2GAO-11-705R. 
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emergency situations involving facility safety and security. FPS relies on the fees 
it charges Federal tenant agencies in GSA-controlled facilities to fund its security 
services.^ 

This testimony is based on preliminary results of work we conducted for a report 
that we plan to issue to the Chairman in August 2012. That report will contain our 
final evaluation and recommendations. Consistent with the report’s objectives, this 
statement addresses the extent to which FPS is: (1) Completing risk assessments, 
(2) developing a tool to complete FSAs, and (3) managing its contract guard work- 
force. To examine the extent to which FPS is completing risk assessments and over- 
seeing guards without RAMP, we reviewed, among other things, FPS’s current FSA 

g rocedures and data on completed and planned FSAs for fiscal years 2010 to 2012. 

pecifically, we reviewed FPS’s FSA data aggregated from its 11 regions to deter- 
mine the extent of its FSA backlog. However, we could not determine the extent of 
the backlog because FPS’s data contained a number of missing and incorrect values 
which made the data unreliable. We also visited 3 of FPS’s 11 regions and inter- 
viewed internal and external stakeholders including, among others, FPS, GSA, De- 
partment of Veterans Affairs, the Federal Highway Administration, Immigration 
and Customs Enforcement, and guard companies. We selected these 3 regions based 
on the number of Federal facilities in the region and their security levels, the num- 
ber of contract guards in the region, and geographic dispersion. Our work is not gen- 
eralizable to all FPS regions. To determine the status of FPS’s efforts to develop an 
FSA tool, we reviewed, among other things, relevant project documents and Federal 
physical security standards, such as DHS’s National Infrastructure Protection Plan’s 
(NIPP) risk management framework. We also interviewed FPS officials, representa- 
tives from Argonne National Laboratory, and four risk management experts. We se- 
lected our four risk assessment experts from a list of individuals who participated 
in the Comptroller General’s 2007 risk management forum.'^ This work is being con- 
ducted in accordance with generally accepted Government auditing standards. 
Those standards require that we plan and perform the audit to obtain sufficient, ap- 
propriate evidence to provide a reasonable basis for our findings and conclusions 
based on our audit objectives. We believe that the evidence obtained provides a rea- 
sonable basis for our findings and conclusions based on our audit objectives. 

FPS DOES NOT CURRENTLY ASSESS RISKS AT FEDERAL FACILITIES BUT MULTIPLE 
AGENCIES ARE CONDUCTING THEIR OWN ASSESSMENTS 

Our preliminary results indicate that, in the absence of RAMP, FPS currently is 
not assessing risk at the over 9,000 Federal facilities under the custody and control 
of GSA in a manner consistent with Federal standards such as NIPP’s risk manage- 
ment framework, as FPS originally planned. According to this framework, to be con- 
sidered credible a risk assessment must specifically address the three components 
of risk: Threat, vulnerability, and consequence. As a result, FPS has accumulated 
a backlog of Federal facilities that have not been assessed for several years. Accord- 
ing to FPS data, more than 5,000 facilities were to be assessed in fiscal years 2010 
through 2012. However, we were not able to determine the extent of the FSA back- 
log because we found FPS’s FSA data to be unreliable. Specifically, our analysis of 
FPS’s December 2011 assessment data showed nearly 800 (9 percent) of the approxi- 
mately 9,000 Federal facilities did not have a date for when the last FSA was com- 
pleted. We have reported that timely and comprehensive risk assessments play a 
critical role in protecting Federal facilities by helping decision makers identify and 
evaluate potential threats so that countermeasures can be implemented to help pre- 
vent or mitigate the facilities’ vulnerabilities.® 

Although FPS is not currently assessing risk at Federal facilities, FPS officials 
stated that the agency is taking steps to ensure Federal facilities are safe. According 
to FPS officials, its inspectors (also referred to as law enforcement security officers) 
monitor the security posture of Federal facilities by responding to incidents, testing 
countermeasures, and conducting guard post inspections. In addition, since Sep- 
tember 2011, FPS’s inspectors have collected information — such as location, purpose, 
agency contacts, and current countermeasures (e.g., perimeter security, access con- 
trols, and closed-circuit television systems) at over 1,400 facilities — which will be 
used as a starting point to complete FPS’s fiscal year 2012 assessments. However, 
FPS officials acknowledged that this approach is not consistent with NIPP’s risk 
management framework. Moreover, several FPS inspectors told us that they re- 


3 40 U.S.C. §586; 41 C.F.R. §102-85.35; Pub. L. No. 111-83, 123 Stat. 2142, 2156-57 (2009). 
^GAO, Highlights of a Forum: Strengthening the Use of Risk Management Principles in Home- 
land Security, GAO-08— 627SP (Washington, DC: April 2008). 

® GAO, Homeland Security: Greater Attention to Key Practices Would Improve the Federal Pro- 
tective Service’s Approach to Facility Protection, GAO— 10-142 (Washington, DC: Oct. 23, 2009). 



15 


ceived minimal training or guidance on how to collect this information, and ex- 
pressed concern that the facility information collected could become outdated by the 
time it is used to complete an FSA. 

Multiple Federal Agencies Are Conducting Their Own Risk Assessments 

We reported in February 2012 that multiple Federal agencies have been expend- 
ing additional resources to conduct their own risk assessments, in part because they 
have not been satisfied with FPS’s past assessments.® These assessments are taking 
place even though, according to FPS’s Chief Financial Officer, FPS received $236 
million in basic security fees from Federal agencies to conduct FSAs and other secu- 
rity services in fiscal year 2011.'^ For example, officials we spoke with at the Inter- 
nal Revenue Service, Federal Emergency Management Agency, Environmental Pro- 
tection Agency, and the U.S. Army Corps of Engineers stated that they conduct 
their own risk assessments. GSA is also expending additional resources to assess 
risk. We reported in October 2010 that GSA officials did not always receive timely 
FPS risk assessments for facilities GSA considered leasing.® GSA seeks to have 
these assessments completed before it takes possession of a property and leases it 
to tenant agencies. However, our preliminary work indicates that as of June 2012, 
FPS has not coordinated with GSA and other Federal agencies to reduce or prevent 
duplication of its assessments. 

FPS EFFORTS TO DEVELOP A RISK ASSESSMENT TOOL ARE EVOLVING, BUT CHALLENGES 

REMAIN 

In September 2011, FPS signed an interagency agreement with Argonne National 
Laboratory for about $875,000 to develop an interim tool for conducting vulner- 
ability assessments by June 30, 2012.® According to FPS officials, on March 30, 
2012, Argonne National Laboratory delivered this tool, called the Modified Infra- 
structure Survey Tool (MIST), to FPS on time and within budget. MIST is an in- 
terim vulnerability assessment tool that FPS plans to use until it can develop a per- 
manent solution to replace RAMP. According to MIST project documents and FPS 
officials, among other things, MIST will: 

• allow FPS’s inspectors to review and document a facility’s security posture, cur- 
rent level of protection, and recommend countermeasures; 

• provide FPS’s inspectors with a standardized way for gathering and recording 
facility data; and 

• allow FPS to compare a facility’s existing countermeasures against the Inter- 
agency Security Committee’s (ISC) countermeasure standards based on the 
ISC’s predefined threats to Federal facilities (e.g., blast-resistant windows for 
a facility designed to counter the threat of an explosive device) to create the fa- 
cility’s vulnerability report, i® 

According to FPS officials, MIST will provide several potential improvements over 
FPS’s prior assessment tools, such as using a standard way of collecting facility in- 
formation and allowing edits to GSA’s facility data when FPS inspectors find it is 
inaccurate. In addition, according to FPS officials, after completing a MIST vulner- 
ability assessment, inspectors will use additional threat information gathered out- 
side of MIST by FPS’s Threat Management Division as well as local crime statistics 
to identify any additional threats and generate a threat assessment report. FPS 
plans to provide the facility’s threat and vulnerability reports along with any coun- 
termeasure recommendations to the Federal tenant agencies. 

In May 2012, FPS began training inspectors on MIST and how to use the threat 
information obtained outside MIST and expects to complete the training by the end 
of September 2012. According to FPS officials, inspectors will be able to use MIST 
once they have completed training and a supervisor has determined, based on pro- 


®GAO, 2012 Annual Report: Opportunities to Reduce Duplication, Overlap, and Fragmenta- 
tion, Achieve Savings, and Enhance Revenue, GAO-12-342SP (Washington, DL: February 2012). 

"^FPS currently charges tenant agencies in properties under GSA control a basic security fee 
of $0.74 per square foot per year for its security services including physical security and law 
enforcement activities as per 41 C.F.R. § 102—85.35. 
sGAO-10-142. 

® As of March 2012, FPS’s total life cycle cost for MIST was estimated at $5 million. 
i®The ISC is comprised of representatives from more than 50 Federal agencies and depart- 
ments, establishes standards and best practices for Federal security professionals responsible for 
protecting non-military Federal facilities in the United States. FPS is a member agency of the 
Interagency Security Committee in the Department of Homeland Security, along with other Fed- 
eral agencies such as the General Services Administration, the Federal Aviation Administration, 
the Environmental Protection Agency, and other components within the Department of Home- 
land Security. The ISC has defined 31 different threats to Federal facilities including vehicle- 
borne improvised explosive devices, workplace violence, and theft. 
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fessional judgment, that the inspector is capable of using MIST. At that time, an 
inspector will be able to use MIST to assess level I or II facilities. According to 
FPS officials, once these assessments are approved, FPS will subsequently deter- 
mine which level III and IV facilities the inspector may assess with MIST. 

FPS Increased Its Use of Project Management Best Practices in Developing MIST 
Our preliminary analysis indicates that in developing MIST, FPS increased its 
use of GAO’s project management best practices, including alternatives analysis, 
managing requirements, and conducting user acceptance testing.i^ For example, 
FPS completed, although it did not document, an alternatives analysis prior to se- 
lecting MIST as an interim tool to replace RAMP. It appears that FPS also better 
managed MIST’s requirements. Specifically, FPS’s Director required that MIST be 
an FSA-exclusive tool and thus helped avoid changes in requirements that could 
have resulted in cost or schedule increases during development. In March 2012, FPS 
completed user acceptance testing of MIST with some inspectors and supervisors, 
as we recommended in 2011. According to FPS officials, user feedback on MIST 
was positive from the user acceptance test, and MIST produced the necessary out- 
put for FPS’s FSA process. However, FPS did not obtain GSA or Federal tenant 
agencies’ input in developing MIST’s requirements. Without this input, FPS’s cus- 
tomers may not receive the information they need to make well-informed counter- 
measure decisions. 

MIST Has Limitations as an Assessment Tool 

FPS has yet to decide what tool, if any, will replace MIST, which is intended to 
be an interim vulnerability assessment tool. According to FPS officials, the agency 
plans to use MIST for at least the next 18 months. Consequently, until FPS decides 
what tool, if any, will replace MIST and RAMP, it will still not be able to assess 
risk at Federal facilities in a manner consistent with NIPP, as we previously men- 
tioned. Our preliminary work suggests that MIST has several limitations: 

• Assessing Consequence. — FPS did not design MIST to estimate consequence, a 
critical component of a risk assessment. Assessing consequence is important be- 
cause it combines vulnerability and threat information to evaluate the potential 
effects of an adverse event on a Federal facility. Three of the four risk assess- 
ment experts we spoke with generally agreed that a tool that does not estimate 
consequences does not allow an agency to fully assess the risks to a Federal fa- 
cility. However, FPS officials stated that incorporating consequence information 
into an assessment tool is a complex task. FPS officials stated that they did not 
include consequence assessment in MIST’s design because it would have re- 
quired additional time to develop, validate, and test MIST. As a result, while 
FPS may be able to identify a facility’s vulnerabilities to different threats using 
MIST, without consequence information. Federal tenant agencies may not be 
able to make fully-informed decisions about how to allocate resources to best 
protect Federal facilities. FPS officials do not know if this capability can be de- 
veloped in the future, but they said that they are working with the ISC and 
DHS’s Science and Technology Directorate to explore the possibility. 

• Comparing Risk Across Federal Facilities. — FPS did not design MIST to present 
comparisons of risk assessment results across Federal facilities. Consequently, 
FPS cannot take a comprehensive approach to managing risk across its portfolio 
of 9,000 facilities to prioritize recommended countermeasures to Federal tenant 
agencies. Instead, FPS takes a facility-by-facility approach to risk management 
where all facilities with the same security level are assumed to have the same 
security risk, regardless of their location.^'' We reported in 2010 that FPS’s ap- 
proach to risk management provides limited assurance that the most critical 
risks at Federal facilities across the country are being prioritized and miti- 


FPS uses the ISC’s Facility Security Level Determination for Federal Facilities to determine 
the facility security level (FSL). The ISC recommends that level I and II facilities he assessed 
every 5 years and level III and IV facilities every 3 years. According to the ISC’s criteria, a level 
I facility may he 10,000 or fewer square feet, have fewer than 100 employees, provide adminis- 
trative or direct service activities, and have little to no public contact; a level II facility may 
be 100,000 or fewer square feet, have 250 or fewer employees, be readily identifiable as a Fed- 
eral facility, and provide district or State-wide services; a level III facility may be 250,000 or 
fewer square feet, have 750 or fewer employees, be an agency’s headquarters, and be located 
in an area of moderate crime; and a level IV facility may exceed 250,000 square feet, have more 
than 750 employees, house National leadership, and be located in or near a popular tourist des- 
tination. 

12GAO-11-705R. 

13 GAO-1 1-705R. 

i‘‘GAO-10-142. 
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gated. FPS recognized the importance of having such a comprehensive ap- 
proach to its FSA program when it developed RAMP and FPS officials stated 
that they may develop this capability for the next version of MIST. 

• Measuring Performance . — FPS has not developed metrics to measure MIST’s 
performance, such as feedback surveys from tenant agencies. Measuring per- 
formance allows organizations to track progress toward their goals and, gives 
managers critical information on which to base decisions for improving their 
programs. This is a necessary component of effective management, and should 
provide agency managers with timely, action-oriented information, Without 
such metrics, FPS’s ability to improve MIST will be hampered. FPS officials 
stated that they are planning to develop performance measures for MIST, but 
did not give a time frame for when they will do so. 

FPS FACES CHALLENGES IN OVERSEEING ITS CONTRACT GUARDS 

Our work to date indicates that FPS does not have a comprehensive and reliable 
system to oversee its approximately 12,500 contract guards. In addition to con- 
ducting FSAs, FPS developed RAMP as a comprehensive system to help oversee two 
aspects of its contract guard program: (1) Verifying that guards are trained and cer- 
tified to be on post in Federal facilities; and (2) conducting and documenting guard 
post inspections. However, FPS experienced difficulty with RAMP because the con- 
tract guard training and certification information in RAMP was not reliable. Addi- 
tionally, FPS faced challenges using RAMP to conduct and document post inspec- 
tions. For example, FPS inspectors we interviewed reported they had difficulty 
connecting to RAMP’s servers in remote areas and that recorded post inspections 
disappeared from RAMP’s database without explanation. Although we reported 
some of these challenges in 2011, FPS did not stop using RAMP for guard oversight 
until June 2012 when the RAMP operations and maintenance contract was due to 
expire. 

In the absence of RAMP, in June 2012, FPS decided to deploy an interim method 
to enable inspectors to record post inspections. FPS officials said this capability is 
separate from MIST, will not allow FPS to generate post inspection reports, and 
does not include a way for FPS inspectors to check guard training and certification 
data during a post inspection. FPS officials acknowledged that this method is not 
a comprehensive system for guard oversight. Consequently, it is now more difficult 
for FPS to verify that guards on post are trained and certified and that inspectors 
are conducting guard post inspections as required. 

Although FPS collects guard training and certification information from the com- 
panies that provide contract guards, it appears that FPS does not independently 
verify that information. FPS currently requires its guard contractors to maintain 
their own files containing guard training and certification information and began re- 
quiring them to submit a monthly report with this information to FPS’s regions in 
July 2011. To verify the guard companies’ reports, FPS conducts monthly audits. 
As part of its monthly audit process, FPS’s regional staff visits the contractor’s office 
to select 10 percent of the contractor’s guard files and check them against the re- 
ports guard companies send FPS each month. In addition, in October 2011, FPS un- 
dertook a month-long audit of every guard file to verify that guards had up-to-date 
training and certification information for its 110 contracts across its 11 regions. FPS 
provided preliminary October 2011 data showing that 1,152 (9 percent) of the 12,274 
guard files FPS reviewed at that time were deficient, meaning that they were miss- 
ing one or more of the required certification document(s). However, FPS does not 
have a final report on the results of the Nation-wide audit that includes an expla- 
nation of why the files were deficient and whether deficiencies were resolved. 

FPS’s monthly audits of contractor data provide limited assurance that qualified 
guards are standing post, as FPS is verifying that the contractor-provided informa- 
tion matches the information in the contractor’s files. We reported in 2010 that 
FPS’s reliance on contractors to self-report guard training and certification informa- 


GAO, Homeland Security: Addressing Weaknesses with Facility Security Committees Would 
Enhance Protection of Federal Facilities, GAO-10— 901 (Washington, DC: August 5, 2010). 

i®GAO, Homeland Security: The Federal Protective Service Faces Several Challenges That 
Hamper its Ability to Protect Federal Facilities, GAO— 08-683 (Washington, DC: June 11, 2008). 
I'^A post is a guard’s area of responsibility in a Federal facility. 

FPS’s inspection requirement for level I and II facilities is two annual inspections of all 
posts, all shifts. The inspection requirement for level III facilities is biweekly inspections of two 
posts, any shift, and for level IV, weekly inspections of two posts, any shift. 

i^For example, guard training and certifications include firearms qualification, 
cardiopulmonary resuscitation, first aid, baton certification, and X-ray and magnetometer train- 
ing. 
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tion without a reliable tracking system of its own may have contributed to a situa- 
tion in which a contractor allegedly falsified training information for its guards.^® 
In addition, officials at one FPS region told us they maintain a list of the files that 
have been audited previously to avoid reviewing the same files, but FPS has no way 
of ensuring that the same guard files are not repeatedly reviewed during the month- 
ly audits, while others are never reviewed. In the place of RAMP, FPS plans to con- 
tinue using its administrative audit process and the monthly contractor-provided in- 
formation to verify that qualified contract guards are standing post in Federal facili- 
ties. 

We plan to finalize our analysis and report to the Chairman in August 2012, in- 
cluding recommendations. We discussed the information in this statement with FPS 
and incorporated technical comments as appropriate. Chairman Lungren, Ranking 
Member Clarke, and Members of the subcommittee, this completes my prepared 
statement. I would be happy to respond to any questions you may have at this time. 

Mr. Lungren. Thank you very much, Mr. Goldstein. 

The Chairman now recognizes Dr. Peerenhoom to testify. 

STATEMENT OF JAMES P. PEERENBOOM, DIRECTOR, INFRA- 
STRUCTURE ASSURANCE CENTER, ASSOCIATE DIRECTOR, 

DECISION AND INFORMATION SCIENCES DIVISION, AR- 

GONNE NATIONAL LABORATORY 

Mr. PEERENBOOM. Good morning. Thank you, Chairman Lun- 
gren, Representative Clarke, and the Members of the subcommittee 
for your invitation to testify here today. 

In early October 2011 the Federal Protective Service engaged Ar- 
gonne by funding the development of a software application called 
a Modified Infrastructure Survey Tool, or MIST, to be used by FPS 
on an interim basis to conduct facility security assessments. MIST 
uses a tailored set of questions that helps FPS establish a security 
baseline and allows for comparisons of facilities being surveyed 
against security standards. The MIST provides a standardized way 
of collecting and reporting facility information to inform decisions 
about security measures. 

Argonne’s work involved five tasks: Working with FPS to develop 
the MIST methodology; implementing the methodology as a release 
called MIST Release 1.0; developing a host site for MIST Release, 
called the FPS Gateway; assisting FPS, as requested, in training 
functions; and finally, providing help desk support to MIST oper- 
ation. 

By working closely with FPS inspectors, contract management 
staff, and leadership throughout the period of performance Argonne 
was able to meet all the defined requirements in the statement of 
work. MIST Release 1.0 and the FPS Gateway were delivered to 
FPS on March 30, 2012, 6 months after the program began. The 
products were delivered on time and within the defined budget. 

Argonne greatly appreciates the opportunity to work with FPS in 
a collaborative manner to develop the MIST as a useful and usable 
interim tool for FPS personnel. Knowledgeable FPS leadership and 
staff were actively involved in all tasks and feedback was provided 
by FPS personnel in a timely manner to guide development activi- 
ties. In addition, regular meetings were held with FPS director. Di- 
rector Patterson, and his staff to review schedules and deliverables 


20 GAO, Homeland Security: Federal Protective Service’s Contract Guard Program Requires 
More Oversight and Reassessment of Use of Contract Guards, GAO-10-341 (Washington, DC: 
April 13, 2010). 
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and to ensure that any problems encountered were identified and 
quickly resolved. 

Finally, Argonne also wishes to thank the DHS Office of Infra- 
structure Protection, part of NPPD, their Protective Security Co- 
ordination Division in particular, for their collaboration with FPS, 
willingness to share methodologies, technology, and experience. 

I appreciate this opportunity to summarize the MIST develop- 
ment activities at Argonne and I look forward to your questions. 
Thank you. 

[The prepared statement of Mr. Peerenboom follows:] 

Prepared Statement of James P. Peerenboom 
July 24, 2012 

Thank you Chairman Lungren, Representative Clarke, and the distinguished 
Members of the subcommittee for your invitation to testify here today. 

My name is James Peerenboom, and I am the Director of the Infrastructure As- 
surance Center and the Associate Director of the Decision and Information Sciences 
Division at Argonne National Laboratory. Argonne is located just outside of Chicago 
and is one of the U.S. Department of Energy’s largest National laboratories for sci- 
entific and engineering research. Argonne has been providing technical support to 
the U.S. Department of Homeland Security (DHS) since the Department was estab- 
lished in March 2003. 


BACKGROUND 

In late March 2011, the Federal Protective Service (FPS) requested a meeting 
with Argonne to discuss the potential for leveraging technical work that had been 
underway at the laboratory since 2007. The work that FPS was seeking to leverage 
was funded by the DHS National Protection and Programs Directorate’s Office of 
Infrastructure Protection (NPPD/IP). Specifically, FPS was interested in exploring 
the option to modify an existing survey tool that Argonne had developed for NPPD/ 
IP called the Infrastructure Survey Tool (1ST). This security survey has been suc- 
cessfully deployed and used by DHS and its Protective Security Advisors (PSAs) to 
identify security measures at various critical infrastructure assets across the Na- 
tion. Argonne first met with FPS representatives in April 2011 to demonstrate 1ST 
functionality; discuss the purpose, scope, and limitations of the tool; and discuss 
FPS assessment needs. A series of subsequent discussions and meetings with FPS 
took place from April through September 2011. 

description of 1ST 

The 1ST is a survey tool that employs a tailored set of questions to identify for 
infrastructure owners and operators some of the potential security weaknesses at 
a given facility, establish an index value of protective measures at the facility, and 
provide comparisons with similar facilities. It is not a vulnerability or risk assess- 
ment tool. Rather, as a survey tool, the 1ST provides a consistent, transparent, and 
integrated assessment of a facility’s current security posture. It was designed for ap- 
plication to many types of critical infrastructure assets — from refineries, railroad 
lines, and power plants to financial centers — to enable owners and operators to see 
how the security measures at their facilities stack up against those at facilities like 
theirs. While the 1ST is not intended to compare a facility’s security to specific 
standards, it does provide a comparative measure to similar facilities. 

The DHS customers for 1ST survey data are infrastructure owners and operators. 
The survey data, presented in an interactive dashboard, allows them to visualize 
how certain security-related changes, such as adding security cameras or installing 
fencing, alters the protective measures index value and may contribute to improved 
security. On the basis of feedback from the PSA community, the interactive dash- 
board in use by NPPD/IP has been well received by infrastructure owners and oper- 
ators. In addition to providing insight and valuable feedback to owners and opera- 
tors, the 1ST data are also used by DHS to benchmark security measures, identify 
protective measure gaps, and develop infrastructure protection strategies. 
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FPS WORK SCOPE 

In early October 2011, FPS engaged Argonne by funding the development of a 
software application, called the Modified Infrastructure Survey Tool (MIST), to be 
used by FPS on an interim basis to conduct facility security assessments. As the 
name implies, the MIST is a modification of the existing 1ST developed by Argonne 
and deployed by NPPD/IP. The MIST uses a tailored set of questions that helps FPS 
establish a security baseline and allows for comparison of the facility being surveyed 
against security standards. MIST’s methodology involves the gathering of data via 
an assessment question set, processing the data through an algorithm to convert the 
data to vulnerability measures, and the generation of outputs such as a report of 
those measures. Although the MIST was not designed to be an Interagency Security 
Committee (ISO-compliant tool, it adheres to the ISC process and guidance as much 
as possible and captures elements of ISC standards. The MIST provides a standard- 
ized way of collecting and reporting facility information to inform decisions about 
security measures. 

Argonne’s work was funded through an existing Interagency Agreement (lAA) 
with NPPD/IP that encompassed IST-related tasks. Funds were committed under 
the lAA to develop, test, deliver, and support MIST Release 1.0. More than half of 
the funds were used for hardware and software to establish a web portal, called the 
FPS Gateway, that allows for sharing of information products and knowledge in real 
time. The FPS Gateway leverages the architecture and hardware/software tech- 
nology of the Linking Encrypted Network System (LENS), a similar portal that Ar- 
gonne developed for NPPD/TP. 

Argonne’s statement of work under the lAA with FPS included five tasks, all of 
which involved leveraging the experience, expertise, and technology used in devel- 
oping the 1ST: 

• Working with FPS to develop the MIST methodology; 

• Implementing the methodology as MIST Release 1.0 (software development); 

• Developing a host site for MIST Release 1.0 (i.e., the FPS Gateway); 

• Assisting FPS, as requested, in training functions; and 

• Providing “help desk” support for MIST operation. 

PROJECT RESULTS 

By working closely with FPS inspectors, contract management staff, and leader- 
ship throughout the period of performance, Argonne was able to meet all defined 
requirements in the statement of work. MIST Release 1.0 and the FPS Gateway 
were delivered to FPS on March 30, 2012. The products were delivered on time and 
within the defined budget. Argonne continues to provide help desk support to FPS. 
Feedback from FPS about the MIST as an interim survey tool has been very posi- 
tive. 


ACKNOWLEDGMENTS 

Argonne appreciates the opportunity to work with FPS in a collaborative manner 
to develop the MIST as a useful and usable interim tool for FPS personnel. Knowl- 
edgeable FPS leadership and staff were actively engaged in all tasks, and feedback 
was provided by FPS personnel in a timely manner to guide development. In addi- 
tion, regular meetings with the FPS Director also were held to review schedules and 
deliverables and to ensure that any problems encountered were identified and 
quickly resolved. Argonne also wishes to thank the NPPD/IP Protective Security Co- 
ordination Division staff for their collaboration with FPS, willingness to explain and 
share methodologies and technology, and thorough LAA oversight. 

Mr. Lungren. Thank you very much. 

I think we may have set a record for brevity of the three panel- 
ists, and we appreciate that. I am sure all my colleagues have 
questions. We will start of round of questioning, and I will start 
with the first 5 minutes. 

General Patterson, in your previous jobs, precision, accuracy, at- 
tention to detail has been extremely important. We have had con- 
cerns prior to the time you got there with the lack of those things 
in some of the functions that you are supposed to — that your oper- 
ation is supposed to carry out. 

Last July when you testified you indicated your, I think, frustra- 
tion at where FPS was at that time. So how would you assess 
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FPS’s progress to address deficiencies in the ability to conduct facil- 
ity security assessments and conduct oversight and training of the 
contract guard program? 

As I am sure you heard Mr. Goldstein, you have seen the testi- 
mony that he gave. There seems to be some concern that he ex- 
presses there. How would you judge where you are versus where 
you think you need to be and where you want to be in those areas? 

General Patterson. Thank you, sir. 

Well, to begin, we are at the beginning. RAMP unfortunately did 
not produce results that the agency had hoped that it would. So 
after careful review, as you are aware, I made the decision that we 
were no longer going to follow that path and develop a new path. 

I spent quite a bit of time with our sister activity component 
within Homeland Security, I.P., to talk about how they look at 
threats, how they look at vulnerability within the private and com- 
mercial sector, and how we could leverage what they do and bring 
that about as quickly as we can to look how we might do that in 
the Federal sector. 

Once I was able to look across the — at what they were doing and 
some of the things that some of our other partners might — were 
doing at the time, because we also looked at systems within S&T, 
and I think GSA also had a system that we were evaluating. But 
at the time I believe that I.P. offered us the best product, if you 
will, for us to move forward. That was when I was introduced to 
Argonne Labs and the work that they were doing for I.P. to support 
I.P. 

I spent quite a bit of time with I.P. and Argonne Labs to assess 
whether or not that would be the right direction for us. In fact, 
that was the right — I believe that it is the right direction for us. 

Now, to get to the point of our folks within the GAO assessment, 
it is correct that our MIST tool does not look at consequence. How- 
ever, what we do is we look at vulnerability and we look at threat. 
We do that in a couple of ways. 

In the vulnerability, we collect a lot of data to assess and to de- 
termine how vulnerable these — our facilities are to the threats that 
are being posed by — in a number of areas, whether it be natural 
disaster, whether it be criminal threat, or whether it be from the 
threat of terrorism. 

I have also developed a very robust activity within FPS that 
looks at the threat picture every day. We have folks who are work- 
ing with the ODNI, the Office of Director of National Intelligence, 
who are working with I&A at DHS, who are working with the FBI. 
I have several folks across the country who are working at the 
JTTFs as well as the fusion centers across the country to help us 
better understand the threat picture as we move forward pulling 
vulnerability and threat together. 

Relative to the consequence piece, each one of the Federal agen- 
cies has a — what we call a COOP plan. It is a plan as to when 
there is a problem — a disaster or something the must respond to — 
how they will reorganize, how they will reconstitute once that 
event has happened. They also have something called an occupa- 
tional emergency plan that we work with them — that they can le- 
verage, and that plan is developed when an agency is either — when 
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they have stood up — or when they occupy a facility, or as we go in 
to perform our assessments. 

So we have what we believe to be a fairly robust scenario, if you 
will, of bringing vulnerability, threat, and consequences together 
not necessarily in a single document, but in a process, in a plan. 
So when an assessment is done my MIST tool brings me the vul- 
nerability piece; my intelligence folks — my RIAs, is what we call 
them, regional intelligence folks, bring forth the threat piece, and 
combine that with the COOP plan and the emergency occupant 
plan to, I think, to bring together a fairly robust product and as- 
sessment of vulnerabilities and threats to our Federal facilities. 

Mr. Lungren. Mr. Goldstein, would you have any comments on 
that? 

Mr. Goldstein. Thank you, Mr. Chairman. 

You know, we were very pleased that FPS has made progress. 
Don’t get me wrong, we feel that they have made some progress. 
The development of MIST is certainly a way forward out of the 
past, whether it was from the original tools of FSRS, or whether 
it was through the more recent tools, where they use an Excel 
spreadsheet and then they had the whole RAMP program. This is 
a way forward, and we do believe that by finally having a program 
the inspectors can use where they are not subjectively determining 
vulnerability on their own is important. We discussed it in our re- 
port. 

But we do think that being able to include consequence informa- 
tion, as the National infrastructure program requires, is really im- 
portant. In my opinion 

Mr. Lungren. Mr. Patterson suggests that COOP, I believe it is, 
or these other elements that their clients have fulfills that role. 
You have a disagreement with that? 

Mr. Goldstein. What I would tell you is I think that you can’t 
have a robust program without consequence information because 
what you are doing is essentially telling people that you have set 
the dinner table without telling them what the food is going to 
be 

Mr. Lungren. No, I understand. I mean, I have always looked 
at risk, you know, that simple equation of threat, vulnerability, and 
consequence. What I was trying to get at is Mr. Patterson has sug- 
gested, or stated, that he believes that you reach that with this 
other component of information that he receives from what I refer 
to as the clients — ^you might use another term. Is that something 
you would still quarrel with at this point? 

Mr. Goldstein. I don’t think it provides agencies and their cli- 
ents the kind of information they need to make robust decisions 
about which countermeasures they are going to adopt and which 
they aren’t, which have more priority than others. 

Mr. Lungren. Okay. 

Ms. Clarke. 

Ms. Clarke. Thank you, Mr. Chairman. 

Director Patterson, FPS chose to modify the current Office of In- 
frastructure Protection’s infrastructure survey tool for its new in- 
terim risk assessment tool. What other tools did FPS consider and 
why weren’t they selected? 
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General Patterson. Yes, ma’am. I don’t have the specific names 
of the other tools but there were a couple other tools. I know one 
specifically that was being developed by the Office of Science and 
Technology. The challenge with that particular tool was that it was 
still in the development phase and it was being beta tested. 

One of the challenges that I believe that we were going to have 
was that we were not involved in setting the requirements for the 
tool. So therefore, we would had to have started from the very be- 
ginning to figure out, you know, whether or not our requirements 
were going to be met, and then if they weren’t, how we were going 
to incorporate that. 

I felt that I needed to deliver something. We had spent time, a 
bit of time, on RAMP. I felt that we needed to do, to move forth 
quickly to try to do something to ensure that we were providing our 
customers, our clients, an assessment product — okay, not just an 
assessment, but an assessment product — and I thought MIST 
would be the best way to do that. 

Ms. Clarke. How does FPS plan to address the limitations that 
GAO identified for MIST? 

General Patterson. Yes, ma’am. For me, this is about being a 
marathon and not a sprint. We are going to work aggressively with 
the ISC, the Interagency Security Committee, to look at how we 
productively and efficiently and effectively incorporate all those 
things that the GAO has recommended and we agree that should 
be considered to be in the tool. 

Part of the challenge that we have is that we need to look at this 
very, if you will, judiciously. When we evaluate or assess a facility 
sometimes there are 10 tenants in that facility, okay, so we have 
to be — we have to ensure that when we produce a report that the 
consequence piece of that, if you will, is going to have relevance to 
all of the folks in that particular facility. 

So I am not exactly sure that trying to put a consequence piece 
into every assessment is the right avenue. So we are going to work 
with the ISC to see how we might develop that and work forward 
and move in that direction. 

Ms. Clarke. How was the decision made to award Argonne Na- 
tional Laboratory the contract to develop MIST? Were there other 
entities considered as well? 

General Patterson. Yes. We were required to — the acquisition 
process required us to consider other avenues for that, and they 
were — the decision was to go with Argonne. 

Ms. Clarke. Okay. 

Mr. Goldstein, when do you estimate that FPS will have a more 
robust guard oversight tool in place that can track guard certifi- 
cation information and offer FPS management with greater insight 
as to whether all of the post inspections that need to be conducted 
are, in fact, occurring? 

Mr. Goldstein. I would judicially say that that is a work in 
progress. I think the Federal Protective Service has recognized that 
there are some vulnerabilities in their process. 

They recently stopped, as of June 2012, any use of RAMP for 
that process; it was the last part of RAMP that was being used and 
they notified offices not to be using that anymore. Much of the in- 
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formation in that system had never been revalidated from the old 
cert system so there were many problems with it. 

I think it is going to take some time. We have some on-going 
work for this committee, taking a look at guard programs, and this 
will be something that we evaluate how others do it and try to 
bring some of that information back to you and to FPS to help 
them as they go forward. It is not a short-term project. 

Ms. Clarke. So would you say — yes, I mean, I recognize that. 
But would you say they are just at the advent of 

Mr. Goldstein. I think they are at the beginning of trying to de- 
termine what they need and how to independently verify certifi- 
cation as well as post inspection, yes, ma’am. 

Ms. Clarke. Okay. How does FPS now track the implementation 
of security countermeasures that are recommended for inclusion in 
the facility security assessments? 

General Patterson. I am sorry, ma’am. Can you repeat that, 
please? 

Ms. Clarke. Yes, sure. How does FPS now track the implemen- 
tation of security countermeasures that are recommended for inclu- 
sion in the facility security assessments? 

General Patterson. Yes, ma’am. Currently we don’t have a 
tracking tool. It is all done manually, if you will, paper. As our in- 
spectors go out and interface with the committees, the security 
committees, the facility security committees to discuss — or the 
agencies to discuss what countermeasures might be necessary or 
what — that we might recommend, at that point we work with the 
FSCs to implement those requirements and it is documented, but 
it is documented on paper at this point because don’t have a digital 
system, if you will, to account for that. 

Ms. Clarke. Thank you, Mr. Chairman. I yield back. 

Mr. Lungren. Gentlelady yields back. 

Mr. Walberg is recognized for 5 minutes. 

Mr. Walberg. Thank you, Mr. Chairman. 

Thanks to the panel for being here. 

Mr. Goldstein, you have noted that MIST, as an interim tool, 
falls short of providing FPS the ability to do many of the things 
that RAMP was intended to provide. You also noted that MIST is 
neither compliant with DHS’s own National infrastructure protec- 
tion plan and the framework that it has nor standards developed 
by the Interagency Security Committee. 

So the question I would initially ask is, why are these standards 
so important? 

Mr. Goldstein. I think the standards are important principally 
because they will create a baseline, but they will also allow that 
baseline to be examined across the host of the Government’s port- 
folio. FPS does not have the ability today to look at the portfolio 
of Government properties that it protects — some 9,000 GSA build- 
ings — and to determine at various levels which of those facilities 
require the most resources. 

They protect everyone, everything essentially at each level in the 
same way, regardless of where it is and what its function is. So 
therefore we have a very static approach, building by building, to 
protecting our Federal infrastructure when resources are obviously 
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very tight, and you can’t leverage the resources and priorities effec- 
tively that way. 

Mr. Walberg. I mean, that being the suggestion then, I guess, 
Mr. Patterson, does FPS believe ISC or NIPP standards are impor- 
tant criteria to meet? 

General Patterson. Oh, absolutely, sir. They are important. We 
are baselining those criteria. 

The challenge that we have is right now, is developing, if you 
will, a tool that will bring all that into play 

Mr. Walberg. But the present tool isn’t compliant with any of 
those standards, is it? 

General Patterson. It is not ISC-compliant because it does not 
take into consideration the consequence piece of the assessment, 
okay? However, the tool isn’t compliant but our process is compli- 
ant, okay, and the process 

Mr. Walberg. Explain that a little further. 

General Patterson. Yes, sir. I will. The tool is no more than a 
product that we provide to our customer. It is a snapshot in time 
of what we believe to be the vulnerability, the threat, and in this 
case, the consequence at a particular facility, okay? We discuss 
each one of those elements at the out-brief when we have com- 
pleted an assessment. 

All right, now, that MIST tool — that MIST product — will not 
cover all three, but that doesn’t mean that we haven’t covered that 
with our customers, all right? So what we are trying to do is we 
are trying to work with the ISC to develop a product, a tool, a prod- 
uct that we can deliver at the end of the day, at the end of the as- 
sessment that allows them to capture all of that into one document. 
We can’t do that today. 

Mr. Walberg. What is the time period you are expecting this 
tool to be developed and then fully implemented? 

General Patterson. In my discussions with the ISC, to their 
knowledge there is no one out there today that has a tool that will 
do that, that has been proven to do that. I understand that there 
might be a few folks out there who think they may have a tool to 
do that, but no one at this point has demonstrated that they have 
an effective tool that brings into play vulnerability, threat, and con- 
sequence into one document, or into a process that will bring all 
that together and you can provide that to our clients. 

So we are working aggressively with GSA, with the ISC, and oth- 
ers to look at how we might do that and how the community — how 
we can work together with the community to make that happen. 

Mr. Walberg. Mr. Goldstein, would you concur with that, that 
there is not a tool capable at this time, or 

Mr. Goldstein. We haven’t looked at that specifically, sir. We 
are doing some work for this committee — just beginning that 
work — taking a look at assessment tools across the Federal Govern- 
ment and out in the broader community, and we will hopefully be 
able to report back on that on the near future. 

Mr. Walberg. Okay. 

Mr. Patterson, I understand that MIST was developed as an in- 
terim tool to replace RAMP. What is FPS’s long-term plan to re- 
place RAMP and what is the time line for that implementation? 
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General Patterson. Yes, sir. The long-term plan is to create a 
tool that is ISC-compliant. I currently don’t have a — I don’t have 
a time line for that. 

Again, we are going to — we are actively working with the ISC 
and collaborating with the ISC. We are actively collaborating with 
GSA to begin to look at how we will do that: What is the next step? 
Because we want to build upon what we have at MIST, what we 
have created with MIST, so that we are not recreating every time 
we decide to develop a new tool or a new process. We don’t want 
to recreate that every time. 

So the bottom line is is that we are going to work with the ISC 
and the community to look at how we move forward. I wish I could 
give you a better answer but I don’t have a better answer at this 
point until we can collaboratively come together and begin to figure 
out the path forward. 

Mr. Walberg. Well, I see my time has expired. 

Mr. Lungren. Mr. Richmond 

Mr. Walberg. Thank you, Mr. Chairman. 

Mr. Lungren [continuing]. Is recognized for 5 minutes. 

Mr. Richmond. Mr. Patterson, I guess I need you to make a con- 
nection for me and monitor the conversation with my colleague, 
and you said that MIST, or whatever you are using now, the pro- 
gram does not have consequence in it but your process has con- 
sequence in it. Did I hear that right? 

General Patterson. Yes. 

Mr. Richmond. I guess I am falling short that if the process has 
consequence in it why can’t we develop a tool that puts vulner- 
ability, threat, and consequence into one thing? I guess I am lost 
on that. Can you 

General Patterson. Sure. 

Mr. Richmond. Can you help me on that? 

General Patterson. I am not debating that we can. I am just 
saying that I haven’t found a way to do that today. 

My work to this point — our research to this point — has taken us 
through vulnerability and threat, but incorporating the con- 
sequence piece, as we would have it within the Federal sector, is 
very different than you incorporate consequence necessarily into 
the private sector. So what we are trying to do is when we do that 
we want to make sure that we develop a tool that is usable, that 
has got credibility, and we just haven’t reached that point yet. 

So when I talk about the consequence piece in the process, the 
process is is that when we sit down and talk with our customers 
and with our clients we talk about their ability to reconstitute, 
their ability to perform if there is an event, okay, and there are 
certain things that they have already done. 

For instance, IRS has a COOP plan. If there is an IRS — if there 
is an event — for instance, the airplane that flew into the IRS facil- 
ity in Austin, Texas a few years ago, well the IRS had a way to 
reconstitute. They knew exactly what they needed to do in order 
to move those functions from that facility to another facility, okay? 

So for them it wasn’t about us bringing something to them, all 
right? They knew exactly what they wanted to do. They had a plan. 
They have a plan. 



27 


Most Federal agencies have a plan if there is a problem, if there 
is an event that happens that takes them away from their facility. 

Mr. Richmond. You said most of them do. Do 

General Patterson. That is an assumption. I would hope all do. 

Mr. Richmond. Okay. I guess that was going to be my next ques- 
tion: Do we have a good take on who has and who does not 
have 

General Patterson. No. We work with every agency — every fa- 
cility, every agency that we do an assessment, we work with them 
on what they call the occupant emergency plan, and that is a plan 
to do just what we are talking about. If there is a problem — if it 
is a natural disaster, if it is a criminal event or a terrorism event, 
what will you do? We go through a myriad of scenarios with them 
as to what they would do. Through every assessment we work with 
every tenant in the facility on that plan. 

Mr. Richmond. I remember from the last hearing we talked 
about that there was the inability, or we were not in a position to 
verify the — that the guards that were on post were trained and cer- 
tified. Have we developed something to better assess whether they 
are trained, certified, and present on our — in our Federal build- 
ings? 

General Patterson. Yes. What we are doing now — we don’t — 
clearly we need a better process. Right now it is a pen-and-paper 
process for us. 

We were hoping — the agency was hoping that RAMP was going 
to resolve this or help us get a little closer to a better solution. 
When that didn’t evolve, when that didn’t work, what I had di- 
rected all of my regions to do is revert back to a paper process, if 
you will, working with — as our PSOs are brought on for their time 
to do work, or when a client — not a client, but when our contrac- 
tors, if you will, when they hire a PSO to work there is a package 
of certifications that each of our PSOs must have. That package — 
those certifications are maintained by the contractor. 

However, that information that is contained in those certification 
packages are then forwarded — is then forwarded to every one of my 
regions. So we have on file in our regions, if you will, that informa- 
tion. 

Now, the challenge is how often we can get through there and 
continue to recertify that their certifications are up-to-date. We 
have 13 certifications in those files that must be certified every 
year, or recertified every year. So it is a huge administrative task 
for us to go through that and we are looking for ways that we can 
digitize that, we can use technology to help us with that; we are 
just not there yet. 

Mr. Richmond. I see that my time has expired so I yield back. 
Thank you, Mr. Chairman. 

Mr. Lungren. Thank you. 

We might have time for a quick second round if anybody is inter- 
ested. 

Let me just recognized myself in the first instance, and that is, 
Mr. Goldstein, you heard Mr. Patterson’s response to the question 
about consequence. Here is my concern — I will have Mr. Patterson 
answer after I ask your thoughts — when Mr. Patterson described 
it he talked about some of the clients, such as IRS, having an abil- 
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ity to reconstitute themselves. That is what they have. That is 
their part of this consequence. 

But I thought this tool that we were trying to develop, or tools, 
to do threat assessment was for the purpose of establishing, by 
FPS, what the levels of security would be so that you would have 
them more in line with what the overall risk assessment was. In 
that regard, a consequence piece would help Mr. Patterson and his 
organization decide the level of security as opposed to, as you sug- 
gested, I thought, in your testimony, that it is kind of an across- 
the-board, everybody is treated the same. 

Am I correct in what you said and the reason why the lack of 
consequence would affect their ability to make those decisions? 

Mr. Goldstein. Yes, sir. Mr. Patterson’s discussion of COOP is 
an important element of, obviously, responding to any disaster or 
any attack but it isn’t directly related, I would submit, to what we 
are talking about, in that the need to have consequence informa- 
tion as part of this program, which he agrees they will eventually 
develop and we are simply bringing that point out, is so that agen- 
cies working with the Federal Protective Service will have guidance 
on how to prioritize protecting facilities themselves over a period 
of time. 

Mr. Lungren. Mr. Patterson, that is what I have found is a dis- 
connect in what you are saying. I understand — I am happy that 
IRS knew how to reconstitute itself, but in terms of your assess- 
ment of your operation’s ability to manage your resources in tough 
budget times, to decide where you need to put your emphasis, 
where you need to have more, where you need to have less, that 
that assessment tool or tools are to allow you to do that as opposed 
to you determining exactly what IRS ought to do at this place or 
one of your other clients. 

General Patterson. Yes, sir. Again, it is — from our perspective 
it is a huge challenge as to how we incorporate consequence into 
any tool. 

For instance, as I stated before, every facility is different. Some 
facilities, they are just stand-alone agencies; and other facilities, 
much like the Reagan Building, there might be literally 10 to 20 
different agencies with different requirements — having different re- 
quirements, and having much more, if you will, at risk than some 
of the other agencies in there. 

So as we look across the spectrum of facilities that we have to 
assess what I am trying to get away from is a one-size-fits-all kind 
of a tool. 

Mr. Lungren. I don’t want you to do that. That is why I am try- 
ing to figure out 

General Patterson. Yes, sir. 

Mr. Lungren [continuing]. Why consequence couldn’t be incor- 
porated into the tool that you use, or you have some integration at 
some point in time of two tools so that you have those three things 
together in making your risk assessment to aid you in a determina- 
tion of the level of security and the prioritizing of your resources. 
That is all I am trying to figure out. 

General Patterson. Yes, sir. Again, it is our intent to incor- 
porate consequence; we are just trying to figure out, how do we do 
that? 
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Mr. Lungren. Okay. Ms. Clarke. 

Ms. Clarke. Thank you, Mr. Chairman. 

This question is for Director Patterson and Mr. Goldstein: How 
does FPS track the effectiveness and performance of the security 
countermeasures that it has recommended? How do you actu- 
ally — 

General Patterson. We have our inspectors who visit our sites 
routinely, who visit Federal facilities routinely to assess the effec- 
tiveness of our PSOs. When we do post inspections that is an as- 
sessment of our contract guard force. 

We also visit our camera facilities to look at whether or not they 
are operating, and when they are not to look, and working with the 
FSC to get them repaired. So this is on an on-going and continual 
basis, looking at all of our countermeasures on a routine basis to 
ensure that they are operating efficiently and effectively. 

Ms. Clarke. Would you say it is a cyclical type of regimen that 
your inspectors are engaged in? Because I would imagine when you 
look at various facilities the landscape around those facilities may 
change from time to time with infrastructure changes, with 

General Patterson. Right. I mean, you know, we can — we — from 
time to time we will have different tenants who move in who have 
different requirements, or they, like, as you just stated, ma’am, 
where there are facilities that may come up next to or where we 
have to assess whether or not — what that impact might be on a bus 
station, let’s say, moving in next to one of our facilities. So abso- 
lutely. 

But that is a continuing process for us. We don’t wait for the as- 
sessment period to do that. If, in fact, we know that the city is 
building — has new construction going up to one of our GSA facili- 
ties we engage immediately with GSA and the tenant to find out 
what — and the city — to find out what is going up and what the im- 
pact might be, and what we may need to do to answer the — to see 
if there is going to be an additional security standard that we may 
have to set out as a result of that. 

Ms. Clarke. Is there, baked into the MIST system, a way of 
keeping track of that information? 

General Patterson. I am sorry. Let me — is there going to be a 
way 

Ms. Clarke. Yes, of, you know — over time you are going to 
maybe have overlays 

General Patterson. Yes. Yes. Our MIST system, yes, as MIST 
is rolled out and as we are incorporating all that information, yes, 
ma’am, that all will be digitized into MIST so we can go back im- 
mediately and determine, you know, what systems are there and 
then how we need to correct, or adjust, or whatever we need to do 
to those systems, yes. 

Ms. Clarke. Dr. Peerenboom, what capabilities, if any, would a 
more permanent tool have over FPS’s interim MIST tool? 

Mr. Peerenboom. Well, as stated by Director Patterson and Mr. 
Goldstein, MIST is not a risk tool. It focuses on vulnerabilities. But 
it was based on work done for the Office of Infrastructure Protec- 
tion at DHS, the infrastructure survey tool. That provides a plat- 
form or basis by which one could expand. 
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In fact, within I.P. they are looking at single assessment meth- 
odologies to pull together tools and capabilities that address risk in 
a holistic fashion to inform decisions about security investments. 
The customers of Office of Infrastructure Protection are slightly dif- 
ferent; they are the owners and operators. The 1ST tool that we de- 
veloped and modified for FPS is applicable to all 18 critical infra- 
structures, so it has a broader base. 

But the subset of questions and things that apply to Federal fa- 
cilities is what was done for MIST. 

Ms. Clarke. What makes these capabilities necessary? 

Mr. Peerenboom. The Office of Infrastructure Protection has a 
mission to provide protection and risk analysis for critical infra- 
structure, and so their sets of tools are designed to encompass that 
broad spectrum. The 1ST that we developed MIST from addresses 
part of the equation, and there are efforts underway to expand that 
base within Office of Infrastructure Protection. It provides a point 
of leverage for FPS should they decide to use that. 

Ms. Clarke. So when the risk or the vulnerabilities seem to be 
evolving, how do — how effective is the MIST tool, in terms of indi- 
cating for FPS what new measures need to be taken? Is it dynamic, 
in other words? 

Mr. Peerenboom. Well, that is really — I should let Director Pat- 
terson speak to that issue, but MIST provides a basis for looking 
at the vulnerabilities to the facility and the inspectors can add in 
their recommendations and their understanding of the con- 
sequences of protective measures that would — not consequences, 
excuse me — the countermeasures that would be applicable to that 
facility. 

The MIST tool is partly compliant with the ISC standards but it 
is not an ISC-compliant tool. But we certainly took that into ac- 
count, and over time, should FPS decide to do that, technically it 
is possible to address those standards. 

Ms. Clarke. All right. Thank you. 

Mr. Lungren. Mr. Walberg. 

Mr. Walberg. Thank you, Mr. Chairman. 

Drilling down in the same board again, Mr. Peerenboom, can 
MIST be developed to capture consequence? Is it capable? 

Mr. Peerenboom. Technically the answer is yes. 

Mr. Walberg. Go a little further on why you would say tech- 
nically the answer is yes. 

Mr. Peerenboom. Well, there are capabilities, as I indicated ear- 
lier, that are being developed within the Office of Infrastructure 
Protection, to enhance the capabilities of the infrastructure survey 
tool that provides the basis that MIST was developed on, and we 
have the capabilities to incorporate elements of consequence, but 
that is a decision that obviously is not ours. But technically it is 
feasible. 

Mr. Walberg. It is feasible, but would you say it is not the best 
tool? 

Mr. Peerenboom. It depends on requirements. No, I didn’t say 
that. 

Mr. Walberg. Okay. Okay. Thank you. 

Mr. Patterson, I would applaud you and commend you for put- 
ting an emphasis on training in your tenure at FPS, and I agree 
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that training is a key for your force’s morale and effectiveness in 
the process. 

Last summer you stated that you were looking at different ways 
FPS may be able to deliver X-ray and magnetometer and weapons 
training. I understand there has been significant dialogue and out- 
reach between FPS and the private sector, which may be able to 
better deliver the training. 

Could you enlighten us at this point in time on the on-going dia- 
logue with industry to improve guard training? 

General Patterson. Yes, sir. Well, first of all, one of the things 
that I needed to do was hire a senior deputy director for training 
to — who could focus in on this full-time and not be a part-time 
duty. So I have done that. So now I have someone who is looking 
across the board at all the training within FPS full-time. 

Now, as we look at training for our PSO force, we are actively 
working with NASCO, the National Association of Security Compa- 
nies, to work with them and look at how we can proliferate train- 
ing across 13,000 PSOs that support FPS and all of our Federal 
partners. It is a huge task, because when you are talking about 
providing services in 50 States that all have different, if you will, 
training requirements, okay, we have to ensure that we are doing 
it in such a way that we are getting the best bang for our buck. 

One of the things in the National Weapons Detection Program, 
in magnetometers and X-ray machines, that I knew that we needed 
to do was to ensure that our inspectors were adequately trained, 
and we have done that — we are doing it. We are just about com- 
pleted all of our training for our inspectors for the magnetometers 
and X-ray machines 

Mr. Walberg. The additional 8 hours of training that you 
were 

General Patterson. Yes. 

Mr. Walberg [continuing]. Proposing? 

General Patterson. That is going to be cascaded by our inspec- 
tors, by a team of our inspectors to the — to our PSO force. Worlong 
with the — kind of in a deal where we do kind-of a trained-to-trainer 
kind-of a thing as well so that we can also work with our — within 
the contractor force, within the contractor structure to, in such, cer- 
tify our contractors so that they can provide some of the training, 
as well. 

Mr. Walberg. You feel that FPS is capable of delivering con- 
sistent training across, as you say, the 50 States and the unique- 
ness of each of those? 

General Patterson. Yes, sir. Absolutely. 

Mr. Walberg. Mr. Goldstein, would you concur with that? 

Mr. Goldstein. We remain concerned, sir, because the problem 
that brought on the need for the additional training is now more 
than 3 years old when GAO was able to bring bomb-making mate- 
rials into 10 Federal facilities without anyone knowing and build- 
ing those bombs. It has been 3 years, and the contract guards who 
are there to prevent things like that from happening haven’t had 
that additional training in all of that time. 

I understand that the agency is resource-constrained, but it 
would seem to me that this would have been a matter of the high- 
est priority, sir. 
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Mr. Walberg. Within 3 years? 

Mr. Goldstein. Yes, sir. 

Mr. Walberg. Thank you. 

Mr. Lungren. Thank you very much. 

I thank all the Members for their participation. 

I want to thank the witnesses for your valuable testimony. The 
Members of the committee may have some additional questions for 
our witnesses, and so we would ask you to respond to those in writ- 
ing. The hearing record will be held open for 10 days, and this sub- 
committee stands adjourned. 

[Whereupon, at 11:09 a.m., the subcommittee was adjourned.] 
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Questions From Chairman Daniel E. Lungren for L. Eric Patterson 

Question 1. In testimony before the House Committee on Homeland Security in 
November 2009, NPPD Under Secretary Rand Beers testified that NPPD was con- 
ducting a workforce needs analysis for EPS, at the request of Secretary Napolitano, 
to ensure that EPS has “the right resources and staffing levels to match the mis- 
sions EPS currently has.” Under Secretary Beers further stated that when the re- 
sults of the study were complete, Confess would be notified. 

What were the results of the analysis? 

Answer. The Federal Protective Service (EPS) conducted a workforce needs anal- 
ysis between 2009 and 2010 and the results were used internally within the Depart- 
ment of Homeland Security. The results were a first step but did not fully meet the 
needs of the Service. FPS currently has a Federally Funded Research and Develop- 
ment Center on contract to conduct an activities analysis to refresh the past as- 
sumptions and requirements so that FPS may evaluate staffing levels in future 
years. FPS will brief the committee on the completion of the updated analysis. 

Question 2a. While FPS is taking positive steps to improve the standardization 
and consistency of FPS, there are still concerns that FPS operates differently from 
region to region and lacks consistent standards. 

Is consistency throughout the regions a concern of yours? 

Question 2b. What steps are being taken to improve consistency of FPS from re- 
gion to region? 

Question 2c. Is headquarters assignment a prerequisite for promotion at FPS, and 
if not, do you think that would improve standardization and consistency of FPS poli- 
cies? 

Answer. The Federal Protective Service (FPS) is performing an activities analysis 
to understand and document where it should introduce or modify policies to increase 
operational effectiveness and reduce risk. Several variables, including geography, 
law, threat, and a specific customer, could warrant differences in operational activi- 
ties across regions. Through FPS’s current detailed review of functions and activi- 
ties, it is identifying commonalities and best practices to inform uniform National 
policies where it makes sense to do so. FPS would be pleased to provide a detailed 
briefing on this effort and highlight policy and process improvements that are being 
implemented Nation-wide. 

In addition, FPS has taken steps to realign its workforce to effectively map per- 
sonnel resources to program functions. The result of this effort was the creation of 
an Area Management Concept, which compartmentalizes reporting for 11 regional- 
level offices into three Field Operations. Each Field Operation, led by a Senior Exec- 
utive Service-level Assistant Director, provides oversight for multiple regional offices 
to help ensure standardization and consistency across the service. This area concept 
is a geographic-based structure that streamlines operational reporting through con- 
solidation of information channels. 

An assignment to headquarters is not a prerequisite for promotion at FPS. The 
creation of the Area Management Concept, led by three Senior Executive Service- 
level and field-based Assistant Directors, is providing standardization and consist- 
ency across the service. 

Questions From Ranking Member Yvette D. Clarke for L. Eric Patterson 

Question 1. According to GAO, FPS spent $795 million on its contract guards in 
fiscal year 2011 which represented 90% of the agency’s procurement budget. How 
much is FPS obligated to spend on its contract guards in fiscal year 2012, and what 
are the projected expenditures for fiscal year 2013? 

Answer. The Federal Protective Service (FPS) obligated $765.6 million on its 
guard contracts in fiscal year 2011, which represented approximately 91 percent of 
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its total contract obligations. FPS projects that it will obligate approximately $764.6 
million in this program in fiscal year 2012. This projection is based on the known 
fiscal year 2012 obligations to date ($750.9 million as of August, 10, 2012), plus ad- 
ditional expected obligations through September 30, 2012, totaling $13.7 million for 
recurring guard services and pending modifications and/or equitable adjustments 
under existing contracts. FPS projects that it will obligate approximately $784.4 
million in fiscal year 2013. This projection is based on the estimated escalation of 
the fiscal year 2012 obligation by 2.6 percent, which accounts for estimated infla- 
tionary factors such as Service Contract Act wage adjustments. However, FPS may 
obligate additional amounts in fiscal year 2013 as necessary to account for emerging 
requirements for existing and new customers and any changes that may arise con- 
cerning guard requirements. 

Question 2. Why is it that as of June 2012, a total of $652,000 was spent on 
MIST, which appears to be useful so far, while RAMP has yielded no tangible re- 
sults after four years and $35 million or more in expenditures? 

Answer. The Risk Assessment and Management Program (RAMP) experienced 
significant programmatic and technical issues, primarily related to insufficient user 
involvement in the requirements definition and testing of the application, as well 
as the lack of an approved program baseline to control and measure program 
progress. 

The efforts to develop and field the Modified Infrastructure Survey Tool (MIST) 
have been more successful because the program benefited from leveraging an exist- 
ing software application already in service with the Office of Infrastructure Protec- 
tion. MIST and its development addressed the shortcomings experienced within 
RAMP by instituting program management best practices to provide adequate con- 
trols on the development effort, and ensuring user involvement in the development 
and testing of MIST. 

Question 3. Given that FPS had a June 2012 deadline to decide what to do with 
the data remaining within RAMP, what decision has been made? If a decision has 
yet to be made, what are the next steps? 

Answer. The June 2012 deadline was tied to the expiration of the sustainment 
support contract for the legacy Risk Assessment and Management Program (RAMP) 
application. The expiration of that contract does not equate to a loss of data, as the 
Government owns the rights to the software and RAMP is currently installed within 
the Department of Homeland Security (DHS) Data Center 1 production environ- 
ment. 

The Federal Protective Service (FPS) has examined the data within RAMP and 
identified three major data sets that needed to be retained: The RAMP repository, 
which is a library of historical assessments and policy documents; Protective Secu- 
rity Officer (contract guard) contracting information; and guard post inspection re- 
ports. Data from all other modules within RAMP is either resident elsewhere within 
FPS or lacks value due to problems with RAMP functionality. 

FPS has decommissioned RAMP as of July 12, 2012. With user access no longer 
available, the final data set was copied to FPS servers to ensure retention of the 
data. FPS will continue to work to dispose of the RAMP application during the 
fourth quarter of fiscal year 2012 and remove the application and all data from the 
DHS Data Center 1. 

Questions From Ranking Member Yvette D. Clarke for Mark L. Goldstein 

Question 1. How will the security of Federal facilities be affected if FPS inspectors 
and law enforcement security officers are not adequately trained to use MIST? 

Answer. The protection of Federal facilities may be significantly hampered if 
FPS’s law enforcement security officers do not receive training on the Modified In- 
frastructure Survey Tool (MIST). As we reported in August 2012, FPS is not assess- 
ing risk at Federal facilities but plans to resume assessing Federal facilities 
vulnerabilities with MIST. However, if FPS’s law enforcement security officers do 
not receive MIST training and no other alternative assessment tool is used, the 
backlog of facilities not assessed will increase significantly. According to FPS data, 
more than 5,000 facilities were to be assessed in fiscal years 2010 through 2012. 

Question 2. What tools or options would be available to FPS in the event that 
MIST training is not completed? 

Answer. FPS may be able to use other tools if it cannot use MIST to assess Fed- 
eral facilities. For example, one tool is the Federal Security Risk Manager (FSRM), 
which FPS used from 2600 to 2009. However, FPS has experienced problems using 
FSRM. Another potential tool is the Integrated Rapid Visual Screening developed 
by DHS’s Science and Technology Directorate (S&T). The IRVS is a risk assessment 
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tool that assesses risk using threat, vulnerability, and consequence. According to an 
S&T official, the IRVS is available to FPS at no cost. 

Question 3. Will the implementation of MIST and other FPS activities allow for 
enhanced compliance with the Interagency Security Committee standards? 

Answer. FPS has taken some steps to Setter align MIST with the Interagency Se- 
curity Committee (ISC) standards. For example, MIST uses the ISC recommended 
countermeasures for defined threat scenarios for each facility security level. 

Questions From Ranking Member Yvette D. Clarke for James P. Peerenboom 

Question 1. What are the costs associated with developing and implementing 
MIST as the interim replacement for RAMP? 

Answer. Argonne developed the Modified Infrastructure Survey Tool (MIST) 
under an existing Interagency Agreement (lAA) with the U.S. Department of Home- 
land Security National Protection and Programs Directorate’s Office of Infrastruc- 
ture Protection (NPPD/IP). Similar methodologies and technologies developed by Ar- 
gonne for NPPD/IP, such as the Infrastructure Survey Tool (1ST), were leveraged 
to reduce MIST development time, cost, and risk. A total of $850,000 was committed 
under the lAA to build on the foundation established for the 1ST to develop, test, 
and deliver MIST Release 1.0. More than half of the funds were used for hardware 
and software to establish a web portal, called the FPS Gateway, that allows for 
sharing of information products and knowledge in real time. The FPS Gateway 
leverages the architecture and hardware/software technology of the Linking 
Encrypted Network System (LENS), a similar platform that Argonne also developed 
for NPPD/IP. Work on the project was initiated on October 3, 2011. Argonne deliv- 
ered MIST Release 1.0 and the FPS Gateway to FPS on March 30, 2012. 

Question 2. Are there any features within RAMP that can be adapted for use with 
MIST? 

Answer. Argonne was not tasked to evaluate RAMP and its features. 

Question 3. What are the projected costs and time table for the completion of 
MIST? 

Answer. The scope of work for MIST development was completed, and MIST Re- 
lease 1.0 and the FPS Gateway were delivered to FPS, on March 30, 2012. The 
products were delivered on time and within the defined budget. Future enhance- 
ments to MIST, if any, and Argonne’s potential role in completing such enhance- 
ments are unknown. 

Question 4. Do you anticipate any cost overruns with regard to MIST? 

Answer. No cost overruns were associated with Argonne’s development and deliv- 
ery of MIST Release 1.0 and the FPS Gateway. 
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